US8776208B2 - Incorporating network connection security levels into firewall rules - Google Patents

Incorporating network connection security levels into firewall rules Download PDF

Info

Publication number
US8776208B2
US8776208B2 US13/427,436 US201213427436A US8776208B2 US 8776208 B2 US8776208 B2 US 8776208B2 US 201213427436 A US201213427436 A US 201213427436A US 8776208 B2 US8776208 B2 US 8776208B2
Authority
US
United States
Prior art keywords
transmission
firewall
parameter
connection security
firewall rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
US13/427,436
Other versions
US20120185929A1 (en
Inventor
Eran Yariv
Gerardo Diaz-Cuellar
David Abzarian
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Priority to US13/427,436 priority Critical patent/US8776208B2/en
Publication of US20120185929A1 publication Critical patent/US20120185929A1/en
Application granted granted Critical
Publication of US8776208B2 publication Critical patent/US8776208B2/en
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MICROSOFT CORPORATION
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • Firewalls provide for security of computers by regulating what data is allowed into and out of a computer or a computer network to which the computer is connected.
  • IPsec Internet Protocol Security
  • connection security Another method for computer network security is Internet Protocol Security (IPsec), also called connection security. IPsec is a protocol that secures connections between two computers, or a computer and a computer network having a device supporting IPsec.
  • Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices.
  • a firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.
  • a method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall.
  • the method comprises an act of establishing at least one rule for the firewall that determines at least one filtering function.
  • the filtering function is one that the firewall performs on communications between the at least one first device and the at least one second device.
  • the at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
  • At least one computer readable medium encoded with a plurality of instructions that, when executed, perform a method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall.
  • the method comprises an act of implementing at least one rule for the firewall that determines at least one filtering function.
  • the filtering function is one that the firewall performs on communications between the at least one first device and the at least one second device.
  • the at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
  • a device for use in a computer system that comprises a firewall, at least one first device disposed inside the firewall, and at least one second device disposed outside the firewall.
  • the device comprises at least one processor programmed to implement at least one rule for the firewall.
  • the at least one rule determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device.
  • the at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
  • FIG. 1 is a flowchart of an illustrative process of an overall communication flow in accordance with one embodiment of the present invention
  • FIG. 2 is a flowchart of an illustrative process of negotiating a connection security level between two computer apparatuses in accordance with one embodiment of the present invention
  • FIG. 3 is a flowchart of an illustrative process of confirming that received transmissions meet a negotiated security level in accordance with one embodiment of the present invention
  • FIG. 4 is a flowchart of an illustrative process of matching received transmissions to firewall rules maintained by a security engine in accordance with one embodiment of the present invention
  • FIG. 5 is an exemplary schema that may be used to store firewall rules created in accordance with one embodiment of the present invention.
  • FIG. 6 is an exemplary graphic interface that may be used to create or manage firewall rules in accordance with one embodiment of the present invention
  • FIG. 7 is an exemplary computer apparatus that may be used in accordance with one embodiment of the present invention.
  • FIG. 8 is an exemplary firewall enforcement engine that may be used in a security engine implemented in accordance with one embodiment of the present invention.
  • FIG. 9 is an exemplary connection security enforcement engine that may be used in a security engine implemented in accordance with one embodiment of the present invention.
  • FIG. 10A is an exemplary computer system on which embodiments of the invention may be implemented.
  • FIG. 10B is an exemplary computer system on which embodiments of the invention may be implemented.
  • firewall and connection security e.g., IPsec
  • IPsec IP Security
  • a firewall's policy for a computer or computer network may specifically allow traffic from a certain sender/computer while a connection security policy for the computer or the computer network may block the sender/computer because it does not have sufficiently secure algorithms for connection security or may not be configured to connect securely (i.e., the sender/computer does not support connection security).
  • This conflict may lead to the sender/computer being blocked by one security method despite being specifically allowed by another, which may, in turn, lead to difficulty in troubleshooting the multiple security elements.
  • This troubleshooting may be made more difficult if there is variation in the ordering and precedence of the security elements (e.g., a firewall's policy may supersede a connection security policy in some circumstances but the connection security policy may supersede the firewall policy in others).
  • a firewall's policy may supersede a connection security policy in some circumstances but the connection security policy may supersede the firewall policy in others).
  • a computer or computer network administrator for a conventional system may have to duplicate (at least) his or her efforts for security by making changes to multiple security elements (e.g., firewall and IPsec) when seeking to make a change to the computer or computer network's security.
  • This task may be more difficult if the security elements are hosted by different machines in a computer network. Further, in computers or computer networks having complex security policies, the effort involved in completing the task may be prohibitive. Thus, administrators may be dissuaded from combining security methods.
  • firewall rules based wholly or partially on IPsec connection security levels.
  • firewall rules can be adopted that evaluate parameters of other security techniques, or that two other types of security methods may be combined.
  • a firewall may be installed in many different places on a computer network, such as on a dedicated computer apparatus placed at an entry/exit point for the network (i.e., where one computer network connects to another computer network), or on a computer to regulate communication for the computer. Based on certain parameters, data may be “allowed” to pass through the firewall to its destination or may be “blocked” by the firewall and dropped. These parameters may be based on a variety of factors regulated by firewall rules.
  • an exemplary firewall may be implemented with an initial rule, such as “block all incoming traffic” or “allow all outgoing traffic.” Other rules may be then added to the initial rule to define “exceptions” to the initial rule.
  • a firewall installed in a computer network having a web server may block all incoming traffic except traffic on Transmission Control Protocol (TCP) port 80 (port 80 is typically associated with web traffic following the Hypertext Transfer Protocol (HTTP)).
  • TCP Transmission Control Protocol
  • HTTP Hypertext Transfer Protocol
  • a firewall could also limit which host computers may send or receive data through the firewall by implementing a firewall rule specifying certain host addresses such as a host's Internet Protocol (IP) address.
  • IP Internet Protocol
  • a firewall may limit at least some traffic based not on its origin or destination, but rather on what kind of data is being transmitted or received.
  • a firewall may, for example, specify that only a certain computer service or computer application is permitted to communicate through the firewall.
  • firewall rules may be implemented based on a combination of any number of parameters. In this manner, a firewall rule may allow incoming traffic on TCP port 80 but may further stipulate that that traffic be HTTP traffic, to prevent the opening in the firewall (port 80 ) from being misused by another computer service or computer application.
  • firewall rule parameters is merely exemplary, and that the techniques described herein can be used with firewall rules based on any characteristics of the data being exchanged.
  • IPsec-enabled devices may be installed in many different places on a computer network, such as on a dedicated computer apparatus placed at an entry/exit point for the network (i.e., where one computer network connects to another computer network), or on a computer to regulate communication for the computer.
  • a remote computer attempts to initiate a connection to the computer or the computer network, the two computers enter a negotiation phase to determine how to protect the connection between them.
  • a connection may be protected by one or more types of connection security.
  • connection security may include, for example, encryption of the data exchanged, authentication of one or both sides of the connection, prevention of data insertion by, for example, numbering of data packets exchanged (i.e., “anti-replay”), and/or integrity checking of data when received (to ensure it has not been altered during transmission).
  • IPsec may protect communications from being intercepted by third parties during exchange and prevent unauthorized computers from connecting to a computer or computer network.
  • a computer initiating the connection will send to the other computer or device on the computer network a list of algorithms with which it may secure a connection.
  • These algorithms may be encryption algorithms, authentication algorithms, anti-replay algorithms, integrity-checking algorithms, or any other suitable security algorithm.
  • the other computer or device in the computer network may then compare the algorithms to its own list of algorithms to determine a set of algorithms which both sides of the connection support.
  • the algorithms on one or both sides of the connection may be ranked by a security level and the set of algorithms determined may comprise the most secure set of algorithms supported by both sides of the connection.
  • One or both sides of the connection may also have minimum security requirements for connections, including different minimum security requirements for different types of connections (e.g., for different origin computers or destination computers, or for different types of data exchanged), and these minimums may be used in determining the set of algorithms.
  • the minimum security requirements may be, for example, a minimum security level for algorithms used for a connection, or may be minimum requirements for the types of security used for the connection (e.g., requiring encryption but not authentication), or may be any other suitable set of minimum security requirements.
  • the other computer or the device may transmit the set of algorithms back to the computer to inform it as to how to initiate the connection.
  • the computers or the computer and the device are said to have “negotiated” a connection security level.
  • a connection is then established using the algorithms determined. Both sides of the connection may then monitor the communications exchanged and may sever the connection if any communication is received over the connection that does not conform to the negotiated connection security level, or ignore such communications.
  • connection may not be established. In other cases, an insecure connection may be established in accordance with other security parameters.
  • Embodiments of the invention may be described below that implement IPsec to implement connection security policies. It should be appreciated, however, that embodiments of the invention are not limited to implementing IPsec and may implement any suitable connection security method.
  • FIG. 1 shows a flowchart of a process by which a remote computer 106 may establish a secure connection and securely transmit data to a second computing device in accordance with one embodiment of the present invention. It should be appreciated that the process of FIG. 1 is merely exemplary, and embodiments of the invention may be used in systems that implement any suitable process for establishing a connection and transmitting data.
  • FIG. 1 While the illustrative example shown in FIG. 1 , and others discussed below, relate primarily to receiving at a firewall 100 data from a remote computer 106 , embodiments of the invention may also be used to regulate data being sent by a computer apparatus hosting firewall 100 or by a computer apparatus in a computer network secured by firewall 100 to a remote computer 106 , or may regulate data being exchanged in any other suitable manner.
  • remote computer 106 sends a negotiation request to a computing device hosting a firewall 100 .
  • the computing device may be any suitable computing apparatus, including a computing apparatus dedicated exclusively to hosting the firewall or a multi-purpose computing apparatus that hosts, among other services, a firewall. Exemplary computing devices will be discussed in greater detail below, but it should be appreciated that embodiments of the present invention are not limited to being implemented on any particular computing apparatus or in any particular system of computing apparatuses.
  • security engine 100 receives the negotiation request.
  • firewall 100 may be divided into two or more logical parts, an IPsec enforcement engine 102 and a firewall enforcement engine 104 , but it should be appreciated that alternative embodiments of the invention may divide the firewall 100 in other ways or may not divide the security engine 100 .
  • the IPsec enforcement engine 102 (or any suitable component of security engine 100 ), in block 114 , matches the received negotiation request to the IPsec policies and capabilities of the security engine 100 to determine a security level at which it will communicate with the remote computer 106 .
  • This process may primarily consist of comparing the capabilities of the remote computer 106 to the capabilities of the security engine 100 , though the process may consist of other steps as well because the determination of a security level may be done in any suitable manner making use of any suitable information. Exemplary processes for making this determination will be discussed in greater detail below, though it should be appreciated that embodiments of the invention are not limited to implementing any specific process.
  • security engine 100 may, in block 116 , send a response to remote computer 106 that comprises a list of the types of connection security that should be used for the connection between remote computer 106 and the computing device with which it intends to communicate.
  • the response sent by security engine 100 may also comprise an indicator of which security algorithms should be used by remote computer 106 when securing the connection, and/or any other suitable information.
  • remote computer 106 receives the negotiation response and performs any necessary processing steps for securing the connection.
  • These necessary processing steps may include locally-executed steps such as determining encryption keys for encryption algorithms, or may include exchanging data with the security engine 100 , such as exchanging authentication data like usernames and passwords. Any suitable processing steps may be executed by the remote computer 106 at this stage, and it should be appreciated that embodiments of the invention are not limited to performing any particular processing steps or, indeed, any processing steps at all.
  • remote computer 106 begins transmitting to its intended recipient (e.g., a computer apparatus hosting the security engine 100 or a computer apparatus in a computer network protected by the security engine 100 ).
  • Transmissions may comprise any suitable content, and this first transmission may comprise a request to initiate a connection if the remote computer 106 desires to communicate using a connection-based protocol such as the Transmission Control Protocol (TCP).
  • TCP Transmission Control Protocol
  • the first transmission may comprise data if the remote computer 106 desires to communicate using a connectionless protocol such as the User Datagram Protocol (UDP).
  • security engine 100 receives the transmission and confirms that it meets the requirements of the negotiated security level for that connection.
  • the firewall enforcement engine 104 receives the transmission and compares it to at least one firewall rule to determine if it should be relayed to its destination (i.e., its intended recipient).
  • Firewall rules may define requirements for transmission to meet in order to be relayed through the firewall.
  • a firewall rule may be implemented based on any characteristic of the received transmission, including origin or destination address. In some embodiments of the invention, however, firewall rules may also be defined based wholly or partially on connection security levels of the connection over which the transmission was received, or on security characteristics of the data in the transmission. Exemplary processes for determining whether the received transmission matches firewall rules will be discussed in further detail below, though it should be appreciated that embodiments of the invention may make this determination in any suitable manner and are not limited to implementing any particular process.
  • the transmission is then allowed to pass through the firewall and is relayed to the intended recipient.
  • the intended recipient may be a service or application on the same computing device as the security engine 100 or may be a separate computing device to which the data should be sent.
  • some embodiments of the invention may implement a security engine 100 that combines Secure Sockets Layer (SSL) with a firewall 104 such that firewall rules of the firewall 104 may filter data based on parameters relating to SSL.
  • SSL Secure Sockets Layer
  • alternative embodiments of the invention may implement a security engine 100 that combines a data compression engine with a firewall 104 such that firewall rules of the firewall 104 may filter data based on parameters relating to compression (e.g., what compression algorithm was used to compress the data).
  • FIG. 2 shows an illustrative process for matching connection security capabilities and policies of the security engine 100 with the capabilities of the remote computer 106 (block 114 in the process of FIG. 1 ).
  • the process of FIG. 2 may begin, in some embodiments of the invention, when a negotiation request is received by the security engine 100 in block 112 .
  • This negotiation request may comprise any suitable information.
  • a negotiation request transmitted by remote computer 106 may comprise a listing of all the types of connection security supported by remote computer 106 .
  • the negotiation request may also, in some embodiments of the invention, comprise a listing of the security algorithms remote computer 106 supports to implement those types of connection security.
  • the algorithms supported by remote computer 106 may be transmitted to the computing device hosting security engine 100 in a separate transmission either automatically or upon being requested by security engine 100 .
  • IPsec enforcement engine 102 may maintain a policy or policies of minimum security levels for all connections and/or particular types of connections having characteristics that remote computer 106 must meet. These characteristics may include characteristics regarding remote computer 106 (e.g., addresses such as IP address or subnet mask that identify a computer or a location of a computer) and/or regarding the desired connection based on intended use information contained in the negotiation request (e.g., the type of data to be transmitted and/or the service/application transmitting the data).
  • characteristics regarding remote computer 106 e.g., addresses such as IP address or subnet mask that identify a computer or a location of a computer
  • intended use information contained in the negotiation request e.g., the type of data to be transmitted and/or the service/application transmitting the data.
  • an IPsec connection security policy may be developed automatically based on firewall rules which are in turn based on connection security levels (described below).
  • the IPsec enforcement engine may examine the firewall rules maintained by security engine 100 and determine the minimum level of connection security that meets any firewall rule, or the minimum level that meets a particular rule such as a default rule, and specify that level of connection security as the minimum connection security level in the IPsec policy.
  • policies such as these may be based on types of connection security supported by one or both ends of the connection.
  • any suitable type of connection security may be supported by either the remote computer 106 or the security engine 100 .
  • Exemplary types of connection security include encryption, authentication, anti-replay, and integrity checking, among others. These types of connection security may be used alone or in combination with one another. Accordingly, a policy of security engine 100 may require that all connections use encryption and connections from some computers be further secured by requiring authentication. Alternatively, a policy of IPsec enforcement engine 102 may require that all connections be encrypted and checked for integrity, but the firewall may “trust” some computers and require only integrity checking and not encryption.
  • a policy may require that all connections be encrypted and may not have any exceptions or additional requirements for particular connections. It should be appreciated that any type or types of connection security may be used alone or in any combination to secure connections, and that embodiments of the invention are not limited to requiring any particular type or types of connection security or, indeed, any connection security at all.
  • a policy of IPsec enforcement engine 102 may also be more specific than requiring types of connection security.
  • a policy may require a particular algorithm or algorithms be used for all or some connections.
  • a policy may stipulate that for some connections, a single algorithm or a select group of algorithms are required and may require a different algorithm or group of algorithms for other connections.
  • a policy may require only that an algorithm supported by the IPsec enforcement engine 102 be used for the connection.
  • IPsec enforcement engine 102 begins to compare, using the data transmitted with the negotiation request, the capabilities of the remote computer 106 to its own capabilities and policies to determine if the connection may be established. Based on the policy or policies, the IPsec enforcement engine 102 may begin (in block 202 ) evaluating each type of connection security required by the IPsec policy of the IPsec enforcement engine 102 . This process may comprise several steps. First, in block 204 , the IPsec enforcement engine 102 may determine whether the remote computer 102 supports that type of connection security. If it does, the process may continue to block 206 wherein the IPsec enforcement engine 102 may determine whether the remote computer 206 supports algorithms that are sufficiently secure.
  • Block 206 may comprise determining what algorithms the remote computer 206 supports for a particular type of connection security by requesting from the remote computer 206 a listing of supported algorithms. Block 206 may additionally or alternatively comprise determining whether the IPsec enforcement engine 102 supports any of the algorithms that the remote computer 106 supports, and/or whether these mutually supported algorithms are sufficiently secure for the connection security policy of IPsec enforcement engine 102 . If IPsec enforcement engine 102 does determine that the remote computer 106 and the IPsec enforcement engine 102 both support one or more algorithms that are sufficiently secure, the process continues to block 208 wherein the process selects a “best” security algorithm to use for the connection.
  • This selection may be done in any suitable manner, including, for example, by a ranking of the algorithms and choosing the most secure or by choosing, of the acceptable algorithms, the easiest to implement/use.
  • IPsec enforcement engine 102 may compile, in block 212 , a negotiation response with an indicator of the selected algorithms to be sent in block 116 .
  • IPsec enforcement engine 102 may drop and ignore the connection request or may, in some embodiments of the invention, compile in block 214 a negotiation response that indicates to remote computer 106 that the connection request has been denied.
  • This response may comprise any suitable information, including an indicator of why the connection has been denied (e.g., what type of connection security is required and not supported). It should be appreciated, however, that in some embodiments of the invention the response indicating that the connection request has been denied may be compiled and transmitted, but may not reach the remote computer 106 as the security engine 100 may have one or more policies in place preventing the transmission of error messages.
  • This may be done to improve security by not indicating to a remote terminal 106 when errors have occurred because, with that information, an attacker using remote computer 106 may be able to determine operational characteristics of the security engine 100 and may be able to exploit that information to attack the security engine 100 .
  • IPsec enforcement engine 102 may approve a connection to remote computer 106 that is less secure than its policies require but may, for example, restrict what remote computer 106 may transmit over the connection or may, for example, restrict to where it may transmit data or from where it may receive data, or may take any other suitable action.
  • FIG. 2 is merely illustrative, and that other processes are possible. Further, it should be appreciated that other embodiments of the invention may instead transmit IPsec enforcement engine 102 's capabilities and policies to remote computer 106 and have the remote computer 106 determine a security level for the connection.
  • FIG. 3 shows an exemplary process (as in block 122 ) for processing a received transmission to confirm that remote computer 106 has conformed to the negotiated security level for the connection, and/or to confirm that a third party (e.g., an attacker) is not trying to transmit data as if it were being sent by remote computer 106 .
  • This confirmation may be done in any suitable manner, and it should be appreciated that embodiments of the invention are not limited to the specific process shown in FIG. 3 .
  • IPsec enforcement engine 102 receives a transmission from remote computer 106 and, in block 302 , determines what negotiated security policy should be applied to the received transmission. This determination may be made in any suitable manner, including, for example, by retrieving from a listing of negotiated security policies the negotiated security policy for the connection based on an address or other characteristic of remote computer 106 .
  • the process confirms that the transmission meets the negotiated security level.
  • This confirmation may comprise decrypting the transmission and/or confirming that it is using the correct encryption process, authenticating the remote computer 106 , checking the integrity of the data, checking sequence numbers of the data as part of an anti-replay algorithm, or any other suitable method of confirming.
  • the transmission may be dropped/deleted and not relayed to its intended recipient.
  • IPsec enforcement engine 102 may, in some embodiments of the invention, transmit an indicator that the transmission was dropped to the remote computer 106 to inform it that it is not transmitting the transmission appropriately (i.e., according the negotiated security level).
  • the received transmission does meet the negotiated level of security, however, in block 306 at least some information relating to the transmission may be relayed to the firewall enforcement engine 104 .
  • the transmission may be relayed as it was received, or it may be relayed in any other suitable manner.
  • the data may be decrypted prior to being relayed, and/or it may be placed inside a data structure along with information regarding the type(s) of connection security used for its connection.
  • the data structure may further comprise an indicator of what algorithms were used for each of the types of connection security used for the connection.
  • embodiments of the invention are not limited to implementing the specific illustrative process of FIG. 3 and may implement any suitable process for confirming that the remote computer 106 is conforming to the negotiated security level.
  • the transmission is compared to firewall rules maintained by the firewall to determine whether the transmission should be relayed to its intended recipient, as in block 124 .
  • FIG. 4 shows an illustrative process for making this determination, though it should be appreciated that other processes are possible.
  • the illustrative process of FIG. 4 begins in block 400 when a transmission is received from the IPsec enforcement engine 102 (or from any other suitable component of security engine 100 or the computer system in which security engine 100 is operating).
  • the process begins comparing the received transmission to firewall rules maintained by security engine 100 .
  • these firewall rules are typically based on one or more characteristics of the received transmission. These characteristics may include any of the characteristics on which traditional firewalls filter transmissions, such as origin port/address, destination port/address, protocol by which the data is being sent, service or application sending or receiving data, size of the data being received, or any other suitable characteristic. In some embodiments of the invention, these characteristics may also include characteristics which are not evaluated in traditional firewall rules.
  • a firewall rule may comprise or consist of filtering parameters based on types of connection security used for a connection, either alone or in combination with any other firewall filtering characteristics.
  • firewall rules may be based on any suitable type or types of connection security that may be negotiated for a connection.
  • Exemplary types of connection security include encryption, authentication, anti-replay, and integrity checking, among others.
  • a firewall rule may alternatively or additionally comprise requirements on what algorithm or algorithms are acceptable for a particular type of connection security, may require a level of security that an algorithm must meet, or may be based on any other suitable characteristic of connection security.
  • connection security parameters of a firewall rule may comprise an identity of the remote computer 106 that was determined by the IPsec enforcement engine 102 .
  • a firewall rule may comprise a connection security parameter on authentication data (e.g., a username of the user of remote computer 106 ) collected during an authentication process.
  • authentication data e.g., a username of the user of remote computer 106
  • the firewall may filter received data based on the authenticated identity of the remote computer 106 and/or the identity of the user of the remote computer 106 .
  • embodiments of the invention may establish firewall rule parameters on any information received from or assigned to remote computer 106 during a security negotiation process such as the matching process 114 described above.
  • connection security may be used in firewall rules either alone, in any suitable combination with one another, and/or in any suitable combination with other filter characteristics (examples of which are described above as being used with conventional firewalls).
  • one firewall rule may require that most connections use authentication and another firewall rule may stipulate that connections from some computers be further secured by requiring encryption.
  • a broad firewall rule may require that most connections be encrypted and checked for integrity, but a narrower firewall rule that takes precedence over the broad firewall rule may require only integrity checking and not encryption if the connection is being made to a particular computer behind the firewall or to a particular service transmitting or receiving the data.
  • a firewall rule may require that all connections be encrypted and the firewall may not have any exceptions or additional requirements for particular connections.
  • Firewall rules are typically, though not necessarily, enforced in a specific order, though the specific order may be any suitable order.
  • the firewall may, for example, have one or more broad rules that define the firewall's default policy and have a number of narrower rules that define exceptions to that policy, and may evaluate rules from broad to narrow to determine if the received transmission should be relayed.
  • a firewall may examine multiple rules as part of this determination process.
  • the process selects the first rule in the order by which firewall rules should be evaluated.
  • the process determines whether the received transmission matches the firewall parameters of this firewall rule.
  • the firewall parameters may be based on any characteristic of the transmission discussed above (such as origin or destination port/address, size, service, etc.) or any other suitable characteristic, and includes all characteristics evaluated by the firewall except for any relating to IPsec. If the transmission does not meet any of these parameters, the process may, in some embodiments of the invention, return to block 402 and select the next firewall rule in the order for evaluation. If the data does meet all the parameters, however, the process may continue to block 406 wherein it compares the connection security level of the connection over which the data was received to the connection security parameters of the firewall rule.
  • connection security information used in this comparison may have been received from the IPsec enforcement engine 102 with the transmission (e.g., as part of the data structure described above), or may be retrieved from a data store of connection security levels based on a characteristic or characteristics about the transmission (e.g., origin address), or in any other suitable way. If the connection security level of the connection meets all the requirements of the firewall rule, then in block 408 the transmission may be allowed through the firewall and relayed to its intended recipient.
  • firewall rules may have a field for a “Block if not matched” flag for connection security parameters.
  • the firewall enforcement engine 104 may save processing time by not examining firewall rules when it may infer that the requirements of the firewall rules may not be met.
  • the “Block if not matched” technique may be used to prevent a similar firewall rule lower in a rule hierarchy or rule order from being evaluated.
  • the blocking of data may be done in any suitable manner, such as by simply dropping/deleting the data or by sending an indicator of the blockage to the sender.
  • the “Block if not matched” flag may not be a particular data field in the rule, but may instead be stored alongside a data value in another data field of the firewall rule, as will be discussed in greater detail below.
  • Block if not matched flag is not set, then the process continues to block 414 , wherein the process will determine if there are more firewall rules to be evaluated. If there are more rules, the process will continue evaluating firewall rules by returning to block 402 and selecting the next firewall rule in the order. If there are no more firewall rules to evaluate, the process may block the data in block 412 in any suitable manner, as described above.
  • a “Block if not matched” flag may be set for the entire security engine 100 , in addition to or instead of for individual rules, such that if the requirements of firewall parameters of any rule are met while the connection security parameters of that rule are not met, the process will stop evaluating rules.
  • the “Block if not matched” flag may also apply to firewall parameters, such that execution may stop at block 404 if the firewall parameters of a rule are not met. It should be appreciated that any “Block if not matched” technique to save on rule evaluation processing may be implemented in any suitable manner and embodiments of the invention are not limited to implementing the technique in any particular way or, indeed, implementing the technique at all.
  • embodiments of the invention may determine whether a received transmission meets one or more firewall rules in any suitable manner, and are not limited to implementing the illustrative process shown in FIG. 4 .
  • Firewall rules such as those evaluated by the exemplary process shown in FIG. 4 may be stored by security engine 100 in any suitable manner, including by a schema such as the one shown in FIG. 5 .
  • FIG. 5 shows a data structure 500 comprising a number of data fields and values that may be used in a firewall rule such as those maintained by security engine 100 .
  • a firewall rule may comprise any number of required and/or optional data fields, and that firewall rules maintained by embodiments of the invention are not limited to implementing any of the data fields shown in FIG. 5 .
  • Data fields shown in FIG. 5 include any parameters on which the security engine 100 may make its decision to allow or block data.
  • the ACTION field indicates what the security engine 100 should do if received data matches the remainder of the fields (e.g., whether it should be blocked or allowed).
  • a firewall rule may also be enabled or disabled by a firewall administrator, and thus the firewall rule may comprise an ACTIVE field storing a “True” or “False” value.
  • the firewall rule may also store a name for itself (the NAME field) and/or a description of its functionality (the DESC field) so that it might be distinguished to a user or administrator.
  • the name field may take a definite value, or may take an indefinite value such as a reference to a text value in a dynamic linked library, such in FIG. 5 .
  • firewall rule may be more readily adapted to implementation in different circumstances. Either technique (definite or indefinite values) may also be employed for the description of the firewall rule (the DESC field).
  • the firewall rule may also comprise one or more filtering parameters.
  • a firewall rule may store an indicator of what type of traffic it applies to, either inbound or outbound (i.e., into the computer or computer network protected by the firewall or out of the computer or computer network) (the DIR field).
  • the firewall rule may further comprise an indicator of what protocol or protocols it operates on (the PROTOCOL field), stored in any suitable way such as by the number assigned to the protocol by the Internet Assigned Numbers Authority (IANA).
  • the PROTOCOL field has a value of 6, which corresponds to the Transmission Control Protocol (TCP).
  • TCP Transmission Control Protocol
  • the local port used by the data may also be regulated by the firewall 100 (the LPORT field).
  • the firewall rule may also store an indicator of what range of remote addresses (the address of the sender/receiver) to which it applies, for both Internet Protocol Version 4 (IPv4) (the RA4 field) and Internet Protocol Version 6 (IPv6) (the RA6 field).
  • IPv4 Internet Protocol Version 4
  • IPv6 Internet Protocol Version 6
  • a firewall rule may comprise an indicator of what service may send or receive the data (the SVC field), which may comprise a name for the service (e.g., XYZService), or a particular application that is sending or receiving the data (the APP field) with a full or relative path to the application's executable (e.g., % SYSTEMROOT % ⁇ system32 ⁇ svchostexe).
  • firewall rules may also comprise requirements for connection security levels. These may be stored in any suitable manner, including as a single field taking multiple values indicating levels of connection security or as multiple fields each relating to a type of connection security and storing a value indicating whether that type is required (e.g., a true/false value) or what type of algorithm should be used for that type of connection security.
  • FIG. 5 shows the former method, wherein the firewall rule has a SECURITY field taking multiple different values.
  • the SECURITY field may take any suitable value, such as “Authenticate” for firewall rules that require that the transmitting computer authenticate with the security engine 100 before the data will be allowed through the firewall.
  • the SECURITY field may also store a value of “StrictAuthenticate” for a stricter form of authentication, a value of “AuthenticatelntCheck” for authentication paired with integrity checking, a value of “AuthenticateEncrypt” for authentication paired with encryption, or any other suitable value.
  • the SECURITY field may also be used as part of the “Block if not matched” rule mentioned above, by taking a value that indicates whether further evaluation should be blocked if the security level specified is not met.
  • the values for SECURITY previously described may indicate that evaluation should be blocked, while values such as “CAuthenticate” (for continue/Authenticate), “CStrictAuthenticate,” “CAuthenticatelntCheck,” or “CAuthenticateEncrypt” may be stored to indicate that evaluation should continue.
  • these values indicating that execution should continue may be stored in a different field that also signals that execution should continue, such as in a SECURITY 2 field.
  • Alternative embodiments of the invention may store values indicating a “Block if not matched” state in any other suitable manner.
  • IPsec policies may be developed based on firewall rules.
  • the IPsec enforcement engine 102 may develop these policies on its own by querying the firewall rules.
  • the firewall enforcement engine 104 will create these policies in the IPsec enforcement engine 102 based on the firewall rules.
  • a firewall rule may therefore have a data field such as AUTOGENIPSEC to inform the firewall enforcement engine whether it should create IPsec policies based on that firewall rule. This data field may take a true or false value, or any other suitable value.
  • Firewall rules may also store other data fields and other values not shown in FIG. 5 .
  • a firewall rule may have a PROFILE field indicating to which computing profile it applies.
  • a computing profile may be set by a user or an operating system to indicate an environment that the computer apparatus is in, such that network policies such as firewall and IPsec policies, or other network settings, may be set appropriately. In this manner, some firewall rules may only be applied to some environments/profiles.
  • the PROFILE field may take any suitable value, including “Domain,” which may indicate that the rule applies when the computer apparatus is in use in a managed network domain, “Private,” which may indicate that the rule applies when the computer apparatus is in use in a private network such as a home network, and “Public,” which may indicate that the rule applies when the computer apparatus is in use in a public network such as a commercial network (e.g., in a coffeehouse).
  • a firewall may also store a GROUP indicator, which may link together two or more firewall rules that relate to a particular experience or feature on the computer apparatus (e.g., an application). In this manner, all firewall rules relating to a particular experience or feature on the computer apparatus may be simultaneously enabled or disabled when referred to as a group, or other suitable group operations may be performed on the firewall rules.
  • Firewall rules such as the one shown in the schema of FIG. 5 may be created or managed in any suitable manner.
  • a command line interface may be used to create firewall rules that takes as input various parameters that should be used in creating the rule.
  • a command line interface such as
  • netsh may be a program that performs many functions related to network administration, and takes as input values indicating what particular function should be performed (e.g., “advfirewall firewall add rule” indicates that netsh should use its advanced firewall functionality to add a rule to the firewall).
  • the remaining input relate to the parameters that should be used in the new firewall rule, corresponding to DIR, ACTION, NAME, LPORT, PROTOCOL, APP, and SECURITY, discussed above. It should be appreciated that embodiments of the invention may not implement a command such as netsh and may instead implement any other suitable command line interface.
  • any suitable graphical interface may be used to create or manage firewall rules, such as the one shown in FIG. 6 .
  • FIG. 6 shows one step of a process of creating a firewall rule using a graphical interface. Looking on the left side of interface 600 , the various steps may be seen, such as “Rule Type,” “Program,” “Action,” “Users and Computers,” “Profile,” and “Name.”
  • “Action” a user may indicate whether to block or allow data that fits the rule, as well as indicate whether to allow or block the data based on connection security parameters such as whether the connection is authenticated, encrypted, and/or integrity-checked.
  • connection security parameters such as whether the connection is authenticated, encrypted, and/or integrity-checked.
  • FIGS. 7-10 show various computer systems in which embodiments of the invention may act, though others are possible.
  • FIG. 7 shows a computer apparatus 700 which may host security engine 100 and that may be used in accordance with one or more embodiments of the invention. It should be appreciated that FIG. 7 is intended to be neither a depiction of necessary components for a computing device to operate as a computer apparatus with embodiments of the invention, nor a comprehensive depiction. As discussed above, any suitable computing device may be used as a computer apparatus 700 to host a security engine 100 .
  • Computer apparatus 700 may be a computing device designed for multiple purposes and for use by a user, such as a desktop personal computer, a laptop personal computer, a server, a personal digital assistant (PDA), a smart/mobile telephone, a web-enabled television set, or any other suitable electronic device.
  • PDA personal digital assistant
  • computer apparatus 700 may be any computing device not intended for typical use by a user or intended for a single purpose or limited purposes, such as a server, a rack-mounted networking device, or a standalone networking device such as a switch, hub, router, access point, hardware firewall, or any other suitable electronic device.
  • computer apparatus 700 comprises a processor 702 , a network adapter 704 , and computer-readable media 706 .
  • Network adapter 704 may be any suitable hardware and/or software to enable computer apparatus 700 to communicate with any other suitable computing device over any suitable computing network.
  • the computing network may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet.
  • Computer-readable media 706 may be adapted to store data to be processed and/or instructions to be executed by processor 702 .
  • Processor 702 enables processing of data and execution of instructions. The data and instructions may be stored on the computer-readable media 706 and may, for example, enable communication between components of the computer apparatus 700 .
  • the data and instructions stored on computer-readable media 706 may comprise a security engine 100 , as described above.
  • Security engine 100 may be implemented in any suitable manner and may, for example, be divided into multiple logical parts, such as an IPsec connection security enforcement engine 102 and a firewall enforcement engine 104 .
  • FIGS. 8 and 9 show exemplary implementations for a firewall enforcement engine 104 and an IPsec enforcement engine 102 , respectively. Again, it should be appreciated that FIGS. 8 and 9 are intended to be neither a depiction of necessary components for a firewall enforcement engine 102 or an IPsec enforcement engine 102 to act in accordance with embodiments of the invention, or a comprehensive depiction.
  • firewall enforcement engine 104 comprises a firewall rules store 800 for storing firewall rules that have been implemented by security engine 100 . These rules, as discussed above, may be active or inactive, and may comprise multiple different parameters. These rules may be stored in any suitable manner, such as in a flat file, a database, or any other suitable data storage method. Firewall enforcement engine 104 may further comprise a rules checking engine 802 for determining whether received data meets the requirements of one or more firewall rules. Rules checking engine 802 may implement any suitable process for making this determination, including process 124 described above.
  • FIG. 9 shows an exemplary embodiment of an IPsec enforcement engine 102 that may be used in accordance with embodiments of the invention.
  • IPsec enforcement engine 102 comprises an IPsec policy/policies store 900 for storing a policy or policies by which the IPsec enforcement engine will approve or deny connection requests during negotiation.
  • IPsec enforcement engine 102 further comprises an IPsec negotiating/confirming engine 902 for determining a negotiated connection security level and for confirming that received data meets that negotiated security level.
  • IPsec negotiating/confirming engine 902 may implement any suitable process or processes for negotiating a security level and confirming that data meets that level, such as processes 114 and 122 described above.
  • IPsec enforcement engine may further comprise a negotiated security level store 904 in which it may store indicators of security levels that have been negotiated and may query the negotiated security level store 904 during a confirmation process such as process 122 .
  • the negotiated security levels may be stored in any suitable manner, including in a flat file, database, or any other suitable data storage method.
  • security engine 100 may be implemented in any suitable manner, and embodiments of the invention are not limited to implementing the exemplary embodiments of security engine 100 shown in FIGS. 7-9 .
  • Computer apparatus 700 may be disposed with a computer system and connected to a computer network.
  • FIG. 10A shows one exemplary computer system in which embodiments of the invention may act, though others are possible.
  • computer apparatus 700 is connected to a communication network 1000 .
  • communication network 1000 may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet.
  • computer apparatus 700 is connected to remote computer 106 through communication network 1000 .
  • remote computer 106 may be communicating directly with computer apparatus 700 .
  • Computer apparatus 700 is, therefore, a terminal point of the connection, and security engine 100 may only be securing computer apparatus 700 and not any other computing devices in the network.
  • data received from remote computer 106 When data received from remote computer 106 is received and approved, then it may be provided directly to a process or application on computer apparatus 700 and not relayed to another device over a network. Similarly, outbound data being sent from computer apparatus 700 to remote computer 106 through the security engine 100 may be received directly from a process or application and not over a network from another device.
  • computer apparatus 700 may be a single-purpose or limited-purpose device disposed within a computer network protecting multiple computers. Such an embodiment is shown in FIG. 10B .
  • computer apparatus 700 is a stand-alone device such as a switch, hub, router, access point, hardware firewall, or other suitable electronic device.
  • Computer apparatus 700 as in FIG. 10A , may be connected to remote computer 106 through a communication network 1000 , but may also be connected to a communication network 1002 .
  • communication network 1002 may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet.
  • Computing device 1004 may be connected to communication network 1002 , and may be being protected by firewall 100 on computer apparatus 700 . In this manner, for computing device 1004 to send or receive data from certain computers, the data must be examined by security engine 100 on computer apparatus 700 before it is relayed to either computing device 1004 , in the case of inbound data, or another computer such as remote computer 106 , in the case of outbound data.
  • embodiments of the invention are not limited to operating in the exemplary computer systems shown in FIGS. 10A and 10B , and that embodiments of the invention may be implemented in any suitable computer system.
  • remote computer 106 and computer apparatus 700 are shown in FIG. 10A as desktop computers, and remote computer 106 and computing device 1004 are shown in FIG. 10B as desktop computers, these computing devices may be implemented as any suitable computing device, including a desktop personal computer, a laptop personal computer, a server, a personal digital assistant (PDA), a smart/mobile telephone, a web-enabled television set, or any other suitable electronic device.
  • PDA personal digital assistant
  • the above-described embodiments of the present invention can be implemented in any of numerous ways.
  • the embodiments may be implemented using hardware, software or a combination thereof.
  • the software code can be executed on any suitable processor or collection of processors, whether provided in a single computer or distributed among multiple computers.
  • a computer may be embodied in any of a number of forms, such as a rack-mounted computer, a desktop computer, a laptop computer, or a tablet computer. Additionally, a computer may be embedded in a device not generally regarded as a computer but with suitable processing capabilities, including a Personal Digital Assistant (PDA), a smart phone or any other suitable portable or fixed electronic device.
  • PDA Personal Digital Assistant
  • a computer may have one or more input and output devices. These devices can be used, among other things, to present a user interface. Examples of output devices that can be used to provide a user interface include printers or display screens for visual presentation of output and speakers or other sound generating devices for audible presentation of output. Examples of input devices that can be used for a user interface including keyboards, and pointing devices, such as mice, touch pads, and digitizing tables. As another example, a computer may receive input information through speech recognition or in other audible format.
  • Such computers may be interconnected by one or more networks in any suitable form, including as a local area network or a wide area network, such as an enterprise network or the Internet.
  • networks may be based on any suitable technology and may operate according to any suitable protocol and may include wireless networks, wired networks or fiber optic networks.
  • the various methods or methods outlined herein may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms. Additionally, such software may be written using any of a number of suitable programming languages and/or conventional programming or scripting tools, and also may be compiled as executable machine language code or intermediate code that is executed on a framework or virtual machine.
  • the invention may be embodied as a computer-readable medium (or multiple computer readable media) (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, circuit configurations in Field Programmable Gate Arrays or other semiconductor devices, etc.) encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the various embodiments of the invention discussed above.
  • the computer readable medium or media can be transportable, such that the program or programs stored thereon can be loaded onto one or more different computers or other processors to implement various aspects of the present invention as discussed above.
  • program or “software” are used herein in a generic sense to refer to any type of computer code or set of computer-executable instructions that can be employed to program a computer or other processor to implement various aspects of the present invention as discussed above. Additionally, it should be appreciated that according to one aspect of this embodiment, one or more computer programs that when executed perform methods of the present invention need not reside on a single computer or processor, but may be distributed in a modular fashion amongst a number of different computers or processors to implement various aspects of the present invention.
  • Computer-executable instructions may be in many forms, such as program modules, executed by one or more computers or other devices.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • functionality of the program modules may be combined or distributed as desired in various embodiments.

Abstract

Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Description

RELATED APPLICATIONS
This application is a continuation application claiming the benefit under 35 U.S.C. §120 of U.S. application Ser. No. 11/804,423, entitled “INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES,” filed on May 18, 2007, which is herein incorporated by reference in its entirety.
BACKGROUND OF INVENTION
Since the development of computer networks, security has been a concern of administrators of computers and computer networks. As a result, many different methods of securing computers have been proposed.
One such security method is a firewall. Firewalls provide for security of computers by regulating what data is allowed into and out of a computer or a computer network to which the computer is connected.
Another method for computer network security is Internet Protocol Security (IPsec), also called connection security. IPsec is a protocol that secures connections between two computers, or a computer and a computer network having a device supporting IPsec.
SUMMARY OF INVENTION
Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.
In one embodiment, there is provided a method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall. The method comprises an act of establishing at least one rule for the firewall that determines at least one filtering function. The filtering function is one that the firewall performs on communications between the at least one first device and the at least one second device. The at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
In another embodiment, there is provided at least one computer readable medium encoded with a plurality of instructions that, when executed, perform a method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall. The method comprises an act of implementing at least one rule for the firewall that determines at least one filtering function. The filtering function is one that the firewall performs on communications between the at least one first device and the at least one second device. The at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
In a further embodiment, there is provided a device for use in a computer system that comprises a firewall, at least one first device disposed inside the firewall, and at least one second device disposed outside the firewall. The device comprises at least one processor programmed to implement at least one rule for the firewall. The at least one rule determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device. The at least one rule employs at least one filtering parameter that is based on at least one connection security level established for a connection between the at least one first device and the at least one second device.
BRIEF DESCRIPTION OF DRAWINGS
The accompanying drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures is represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. In the drawings:
FIG. 1 is a flowchart of an illustrative process of an overall communication flow in accordance with one embodiment of the present invention;
FIG. 2 is a flowchart of an illustrative process of negotiating a connection security level between two computer apparatuses in accordance with one embodiment of the present invention;
FIG. 3 is a flowchart of an illustrative process of confirming that received transmissions meet a negotiated security level in accordance with one embodiment of the present invention;
FIG. 4 is a flowchart of an illustrative process of matching received transmissions to firewall rules maintained by a security engine in accordance with one embodiment of the present invention;
FIG. 5 is an exemplary schema that may be used to store firewall rules created in accordance with one embodiment of the present invention;
FIG. 6 is an exemplary graphic interface that may be used to create or manage firewall rules in accordance with one embodiment of the present invention;
FIG. 7 is an exemplary computer apparatus that may be used in accordance with one embodiment of the present invention;
FIG. 8 is an exemplary firewall enforcement engine that may be used in a security engine implemented in accordance with one embodiment of the present invention;
FIG. 9 is an exemplary connection security enforcement engine that may be used in a security engine implemented in accordance with one embodiment of the present invention;
FIG. 10A is an exemplary computer system on which embodiments of the invention may be implemented;
FIG. 10B is an exemplary computer system on which embodiments of the invention may be implemented.
 DETAILED DESCRIPTION
Applicants have appreciated that firewall and connection security (e.g., IPsec) methods are typically implemented alone, and that more robust security may be provided by combining them. For example, a computer or computer network may be better protected if a firewall were able to enforce firewall rules that evaluate security parameters typically enforced by connection security.
Although multiple security methods have been employed in conventional systems, their use in independent manners often leads to conflicts between the security methods. For example, a firewall's policy for a computer or computer network may specifically allow traffic from a certain sender/computer while a connection security policy for the computer or the computer network may block the sender/computer because it does not have sufficiently secure algorithms for connection security or may not be configured to connect securely (i.e., the sender/computer does not support connection security). This conflict may lead to the sender/computer being blocked by one security method despite being specifically allowed by another, which may, in turn, lead to difficulty in troubleshooting the multiple security elements. This troubleshooting may be made more difficult if there is variation in the ordering and precedence of the security elements (e.g., a firewall's policy may supersede a connection security policy in some circumstances but the connection security policy may supersede the firewall policy in others).
Because of this potential for difficulty, a computer or computer network administrator for a conventional system may have to duplicate (at least) his or her efforts for security by making changes to multiple security elements (e.g., firewall and IPsec) when seeking to make a change to the computer or computer network's security. This task may be more difficult if the security elements are hosted by different machines in a computer network. Further, in computers or computer networks having complex security policies, the effort involved in completing the task may be prohibitive. Thus, administrators may be dissuaded from combining security methods.
Applicants have appreciated that advantages can be achieved by integrating multiple security methods rather than implementing multiple security methods separately.
In one embodiment of the present invention, described in detail below, a firewall is provided having firewall rules based wholly or partially on IPsec connection security levels. However, it should be appreciated that the invention is not limited in this respect and that firewall rules can be adopted that evaluate parameters of other security techniques, or that two other types of security methods may be combined.
A firewall may be installed in many different places on a computer network, such as on a dedicated computer apparatus placed at an entry/exit point for the network (i.e., where one computer network connects to another computer network), or on a computer to regulate communication for the computer. Based on certain parameters, data may be “allowed” to pass through the firewall to its destination or may be “blocked” by the firewall and dropped. These parameters may be based on a variety of factors regulated by firewall rules.
While a firewall may be implemented with any suitable rules, an exemplary firewall may be implemented with an initial rule, such as “block all incoming traffic” or “allow all outgoing traffic.” Other rules may be then added to the initial rule to define “exceptions” to the initial rule. For example, a firewall installed in a computer network having a web server may block all incoming traffic except traffic on Transmission Control Protocol (TCP) port 80 (port 80 is typically associated with web traffic following the Hypertext Transfer Protocol (HTTP)). A firewall could also limit which host computers may send or receive data through the firewall by implementing a firewall rule specifying certain host addresses such as a host's Internet Protocol (IP) address. As a further example, a firewall may limit at least some traffic based not on its origin or destination, but rather on what kind of data is being transmitted or received. A firewall may, for example, specify that only a certain computer service or computer application is permitted to communicate through the firewall. Additionally, firewall rules may be implemented based on a combination of any number of parameters. In this manner, a firewall rule may allow incoming traffic on TCP port 80 but may further stipulate that that traffic be HTTP traffic, to prevent the opening in the firewall (port 80) from being misused by another computer service or computer application.
It should be appreciated that this list of firewall rule parameters is merely exemplary, and that the techniques described herein can be used with firewall rules based on any characteristics of the data being exchanged.
IPsec-enabled devices, similar to firewalls, may be installed in many different places on a computer network, such as on a dedicated computer apparatus placed at an entry/exit point for the network (i.e., where one computer network connects to another computer network), or on a computer to regulate communication for the computer. When a remote computer attempts to initiate a connection to the computer or the computer network, the two computers enter a negotiation phase to determine how to protect the connection between them. A connection may be protected by one or more types of connection security. These types of connection security may include, for example, encryption of the data exchanged, authentication of one or both sides of the connection, prevention of data insertion by, for example, numbering of data packets exchanged (i.e., “anti-replay”), and/or integrity checking of data when received (to ensure it has not been altered during transmission). In this manner, IPsec may protect communications from being intercepted by third parties during exchange and prevent unauthorized computers from connecting to a computer or computer network.
In one exemplary implementation of IPsec, a computer initiating the connection will send to the other computer or device on the computer network a list of algorithms with which it may secure a connection. These algorithms may be encryption algorithms, authentication algorithms, anti-replay algorithms, integrity-checking algorithms, or any other suitable security algorithm. The other computer or device in the computer network may then compare the algorithms to its own list of algorithms to determine a set of algorithms which both sides of the connection support. The algorithms on one or both sides of the connection may be ranked by a security level and the set of algorithms determined may comprise the most secure set of algorithms supported by both sides of the connection. One or both sides of the connection may also have minimum security requirements for connections, including different minimum security requirements for different types of connections (e.g., for different origin computers or destination computers, or for different types of data exchanged), and these minimums may be used in determining the set of algorithms. The minimum security requirements may be, for example, a minimum security level for algorithms used for a connection, or may be minimum requirements for the types of security used for the connection (e.g., requiring encryption but not authentication), or may be any other suitable set of minimum security requirements.
Once the set of algorithms is determined, the other computer or the device may transmit the set of algorithms back to the computer to inform it as to how to initiate the connection. At this point, the computers or the computer and the device are said to have “negotiated” a connection security level. A connection is then established using the algorithms determined. Both sides of the connection may then monitor the communications exchanged and may sever the connection if any communication is received over the connection that does not conform to the negotiated connection security level, or ignore such communications.
If a set of algorithms supported by both ends of the connection cannot be determined, then, in some cases, the connection may not be established. In other cases, an insecure connection may be established in accordance with other security parameters.
Embodiments of the invention may be described below that implement IPsec to implement connection security policies. It should be appreciated, however, that embodiments of the invention are not limited to implementing IPsec and may implement any suitable connection security method.
FIG. 1 shows a flowchart of a process by which a remote computer 106 may establish a secure connection and securely transmit data to a second computing device in accordance with one embodiment of the present invention. It should be appreciated that the process of FIG. 1 is merely exemplary, and embodiments of the invention may be used in systems that implement any suitable process for establishing a connection and transmitting data.
It should be further appreciated that while the illustrative example shown in FIG. 1, and others discussed below, relate primarily to receiving at a firewall 100 data from a remote computer 106, embodiments of the invention may also be used to regulate data being sent by a computer apparatus hosting firewall 100 or by a computer apparatus in a computer network secured by firewall 100 to a remote computer 106, or may regulate data being exchanged in any other suitable manner.
In block 110, remote computer 106 sends a negotiation request to a computing device hosting a firewall 100. The computing device may be any suitable computing apparatus, including a computing apparatus dedicated exclusively to hosting the firewall or a multi-purpose computing apparatus that hosts, among other services, a firewall. Exemplary computing devices will be discussed in greater detail below, but it should be appreciated that embodiments of the present invention are not limited to being implemented on any particular computing apparatus or in any particular system of computing apparatuses.
In block 112, security engine 100 receives the negotiation request. In some embodiments of the invention, such as the one depicted in FIG. 1, firewall 100 may be divided into two or more logical parts, an IPsec enforcement engine 102 and a firewall enforcement engine 104, but it should be appreciated that alternative embodiments of the invention may divide the firewall 100 in other ways or may not divide the security engine 100. The IPsec enforcement engine 102 (or any suitable component of security engine 100), in block 114, matches the received negotiation request to the IPsec policies and capabilities of the security engine 100 to determine a security level at which it will communicate with the remote computer 106. This process may primarily consist of comparing the capabilities of the remote computer 106 to the capabilities of the security engine 100, though the process may consist of other steps as well because the determination of a security level may be done in any suitable manner making use of any suitable information. Exemplary processes for making this determination will be discussed in greater detail below, though it should be appreciated that embodiments of the invention are not limited to implementing any specific process.
Once the security engine 100 has, in block 114, compared the information provided by the remote computer 106 to its own capabilities and policies and determined a security level at which it will communicate with remote computer 106, security engine 100 may, in block 116, send a response to remote computer 106 that comprises a list of the types of connection security that should be used for the connection between remote computer 106 and the computing device with which it intends to communicate. The response sent by security engine 100 may also comprise an indicator of which security algorithms should be used by remote computer 106 when securing the connection, and/or any other suitable information.
In block 118, remote computer 106 receives the negotiation response and performs any necessary processing steps for securing the connection. These necessary processing steps may include locally-executed steps such as determining encryption keys for encryption algorithms, or may include exchanging data with the security engine 100, such as exchanging authentication data like usernames and passwords. Any suitable processing steps may be executed by the remote computer 106 at this stage, and it should be appreciated that embodiments of the invention are not limited to performing any particular processing steps or, indeed, any processing steps at all.
Once these steps are completed, remote computer 106, in block 120, begins transmitting to its intended recipient (e.g., a computer apparatus hosting the security engine 100 or a computer apparatus in a computer network protected by the security engine 100). Transmissions may comprise any suitable content, and this first transmission may comprise a request to initiate a connection if the remote computer 106 desires to communicate using a connection-based protocol such as the Transmission Control Protocol (TCP). Alternatively, the first transmission may comprise data if the remote computer 106 desires to communicate using a connectionless protocol such as the User Datagram Protocol (UDP). In block 122, security engine 100 receives the transmission and confirms that it meets the requirements of the negotiated security level for that connection.
In block 124, the firewall enforcement engine 104 receives the transmission and compares it to at least one firewall rule to determine if it should be relayed to its destination (i.e., its intended recipient). Firewall rules may define requirements for transmission to meet in order to be relayed through the firewall. As described above, a firewall rule may be implemented based on any characteristic of the received transmission, including origin or destination address. In some embodiments of the invention, however, firewall rules may also be defined based wholly or partially on connection security levels of the connection over which the transmission was received, or on security characteristics of the data in the transmission. Exemplary processes for determining whether the received transmission matches firewall rules will be discussed in further detail below, though it should be appreciated that embodiments of the invention may make this determination in any suitable manner and are not limited to implementing any particular process.
If it is determined that the transmission matches one or more firewall rules, the transmission is then allowed to pass through the firewall and is relayed to the intended recipient. As discussed above, the intended recipient may be a service or application on the same computing device as the security engine 100 or may be a separate computing device to which the data should be sent.
As discussed above, it should be appreciated that the process shown in FIG. 1 is merely exemplary, as the techniques described herein can integrate firewall rules with other security techniques that employ any suitable process for establishing a secure connection and securely transmitting data via the connection. For example, some embodiments of the invention may implement a security engine 100 that combines Secure Sockets Layer (SSL) with a firewall 104 such that firewall rules of the firewall 104 may filter data based on parameters relating to SSL. As a further example, alternative embodiments of the invention may implement a security engine 100 that combines a data compression engine with a firewall 104 such that firewall rules of the firewall 104 may filter data based on parameters relating to compression (e.g., what compression algorithm was used to compress the data).
FIG. 2 shows an illustrative process for matching connection security capabilities and policies of the security engine 100 with the capabilities of the remote computer 106 (block 114 in the process of FIG. 1). The process of FIG. 2 may begin, in some embodiments of the invention, when a negotiation request is received by the security engine 100 in block 112. This negotiation request may comprise any suitable information. In some embodiments of the invention, a negotiation request transmitted by remote computer 106 may comprise a listing of all the types of connection security supported by remote computer 106. The negotiation request may also, in some embodiments of the invention, comprise a listing of the security algorithms remote computer 106 supports to implement those types of connection security. In other embodiments of the invention, the algorithms supported by remote computer 106 may be transmitted to the computing device hosting security engine 100 in a separate transmission either automatically or upon being requested by security engine 100.
The illustrative process of FIG. 2 begins in block 200, wherein the security engine 100 (e.g., via the IPsec enforcement engine 102) determines its connection security policies for the connection. In some embodiments of the invention, IPsec enforcement engine 102 may maintain a policy or policies of minimum security levels for all connections and/or particular types of connections having characteristics that remote computer 106 must meet. These characteristics may include characteristics regarding remote computer 106 (e.g., addresses such as IP address or subnet mask that identify a computer or a location of a computer) and/or regarding the desired connection based on intended use information contained in the negotiation request (e.g., the type of data to be transmitted and/or the service/application transmitting the data). This policy may be developed in any suitable manner, such as being specified by a security administrator. In some embodiments of the invention, an IPsec connection security policy may be developed automatically based on firewall rules which are in turn based on connection security levels (described below). For example, the IPsec enforcement engine may examine the firewall rules maintained by security engine 100 and determine the minimum level of connection security that meets any firewall rule, or the minimum level that meets a particular rule such as a default rule, and specify that level of connection security as the minimum connection security level in the IPsec policy.
Policies such as these may be based on types of connection security supported by one or both ends of the connection. As discussed above, any suitable type of connection security may be supported by either the remote computer 106 or the security engine 100. Exemplary types of connection security include encryption, authentication, anti-replay, and integrity checking, among others. These types of connection security may be used alone or in combination with one another. Accordingly, a policy of security engine 100 may require that all connections use encryption and connections from some computers be further secured by requiring authentication. Alternatively, a policy of IPsec enforcement engine 102 may require that all connections be encrypted and checked for integrity, but the firewall may “trust” some computers and require only integrity checking and not encryption. As a further exemplary alternative, a policy may require that all connections be encrypted and may not have any exceptions or additional requirements for particular connections. It should be appreciated that any type or types of connection security may be used alone or in any combination to secure connections, and that embodiments of the invention are not limited to requiring any particular type or types of connection security or, indeed, any connection security at all.
It should be further appreciated that, in accordance with some embodiments of the invention, a policy of IPsec enforcement engine 102 may also be more specific than requiring types of connection security. A policy may require a particular algorithm or algorithms be used for all or some connections. A policy may stipulate that for some connections, a single algorithm or a select group of algorithms are required and may require a different algorithm or group of algorithms for other connections. However, it should also be appreciated that, in some embodiments of the invention, a policy may require only that an algorithm supported by the IPsec enforcement engine 102 be used for the connection.
Once IPsec enforcement engine 102 has determined its security policies in block 200, it begins to compare, using the data transmitted with the negotiation request, the capabilities of the remote computer 106 to its own capabilities and policies to determine if the connection may be established. Based on the policy or policies, the IPsec enforcement engine 102 may begin (in block 202) evaluating each type of connection security required by the IPsec policy of the IPsec enforcement engine 102. This process may comprise several steps. First, in block 204, the IPsec enforcement engine 102 may determine whether the remote computer 102 supports that type of connection security. If it does, the process may continue to block 206 wherein the IPsec enforcement engine 102 may determine whether the remote computer 206 supports algorithms that are sufficiently secure. Block 206 may comprise determining what algorithms the remote computer 206 supports for a particular type of connection security by requesting from the remote computer 206 a listing of supported algorithms. Block 206 may additionally or alternatively comprise determining whether the IPsec enforcement engine 102 supports any of the algorithms that the remote computer 106 supports, and/or whether these mutually supported algorithms are sufficiently secure for the connection security policy of IPsec enforcement engine 102. If IPsec enforcement engine 102 does determine that the remote computer 106 and the IPsec enforcement engine 102 both support one or more algorithms that are sufficiently secure, the process continues to block 208 wherein the process selects a “best” security algorithm to use for the connection. This selection may be done in any suitable manner, including, for example, by a ranking of the algorithms and choosing the most secure or by choosing, of the acceptable algorithms, the easiest to implement/use. Through a determination in block 210, the process will continue examining each required or supported type of connection security until all types of connection security have been examined. If all types of connection security are supported by the remote computer 106 with algorithms that are sufficiently secure, IPsec enforcement engine 102 may compile, in block 212, a negotiation response with an indicator of the selected algorithms to be sent in block 116.
If any type of connection security required by IPsec enforcement engine 102 is not supported by remote computer 106, or if any type of connection security is not supported with a sufficiently secure algorithm, IPsec enforcement engine 102 may drop and ignore the connection request or may, in some embodiments of the invention, compile in block 214 a negotiation response that indicates to remote computer 106 that the connection request has been denied. This response may comprise any suitable information, including an indicator of why the connection has been denied (e.g., what type of connection security is required and not supported). It should be appreciated, however, that in some embodiments of the invention the response indicating that the connection request has been denied may be compiled and transmitted, but may not reach the remote computer 106 as the security engine 100 may have one or more policies in place preventing the transmission of error messages. This may be done to improve security by not indicating to a remote terminal 106 when errors have occurred because, with that information, an attacker using remote computer 106 may be able to determine operational characteristics of the security engine 100 and may be able to exploit that information to attack the security engine 100.
In alternative embodiments of the invention, when the negotiation process is unsuccessful, IPsec enforcement engine 102 may approve a connection to remote computer 106 that is less secure than its policies require but may, for example, restrict what remote computer 106 may transmit over the connection or may, for example, restrict to where it may transmit data or from where it may receive data, or may take any other suitable action.
It should be appreciated that the process of FIG. 2 is merely illustrative, and that other processes are possible. Further, it should be appreciated that other embodiments of the invention may instead transmit IPsec enforcement engine 102's capabilities and policies to remote computer 106 and have the remote computer 106 determine a security level for the connection.
FIG. 3 shows an exemplary process (as in block 122) for processing a received transmission to confirm that remote computer 106 has conformed to the negotiated security level for the connection, and/or to confirm that a third party (e.g., an attacker) is not trying to transmit data as if it were being sent by remote computer 106. This confirmation may be done in any suitable manner, and it should be appreciated that embodiments of the invention are not limited to the specific process shown in FIG. 3.
In block 300, IPsec enforcement engine 102 receives a transmission from remote computer 106 and, in block 302, determines what negotiated security policy should be applied to the received transmission. This determination may be made in any suitable manner, including, for example, by retrieving from a listing of negotiated security policies the negotiated security policy for the connection based on an address or other characteristic of remote computer 106.
In block 304, the process confirms that the transmission meets the negotiated security level. This confirmation may comprise decrypting the transmission and/or confirming that it is using the correct encryption process, authenticating the remote computer 106, checking the integrity of the data, checking sequence numbers of the data as part of an anti-replay algorithm, or any other suitable method of confirming. If the received transmission does not meet the negotiated level of security, in block 308 the transmission may be dropped/deleted and not relayed to its intended recipient. Further, IPsec enforcement engine 102 may, in some embodiments of the invention, transmit an indicator that the transmission was dropped to the remote computer 106 to inform it that it is not transmitting the transmission appropriately (i.e., according the negotiated security level).
If the received transmission does meet the negotiated level of security, however, in block 306 at least some information relating to the transmission may be relayed to the firewall enforcement engine 104. The transmission may be relayed as it was received, or it may be relayed in any other suitable manner. For example, in some embodiments of the invention, the data may be decrypted prior to being relayed, and/or it may be placed inside a data structure along with information regarding the type(s) of connection security used for its connection. In some embodiments of the invention, the data structure may further comprise an indicator of what algorithms were used for each of the types of connection security used for the connection.
As mentioned above, it should be appreciated that embodiments of the invention are not limited to implementing the specific illustrative process of FIG. 3 and may implement any suitable process for confirming that the remote computer 106 is conforming to the negotiated security level.
As discussed above, once the transmission has been received and passed to the firewall enforcement engine 104 (or any suitable component of the firewall), the transmission is compared to firewall rules maintained by the firewall to determine whether the transmission should be relayed to its intended recipient, as in block 124.
FIG. 4 shows an illustrative process for making this determination, though it should be appreciated that other processes are possible.
The illustrative process of FIG. 4 begins in block 400 when a transmission is received from the IPsec enforcement engine 102 (or from any other suitable component of security engine 100 or the computer system in which security engine 100 is operating). In block 402, the process begins comparing the received transmission to firewall rules maintained by security engine 100. As discussed above, these firewall rules are typically based on one or more characteristics of the received transmission. These characteristics may include any of the characteristics on which traditional firewalls filter transmissions, such as origin port/address, destination port/address, protocol by which the data is being sent, service or application sending or receiving data, size of the data being received, or any other suitable characteristic. In some embodiments of the invention, these characteristics may also include characteristics which are not evaluated in traditional firewall rules. In some embodiments of the invention, a firewall rule may comprise or consist of filtering parameters based on types of connection security used for a connection, either alone or in combination with any other firewall filtering characteristics. As discussed above, firewall rules may be based on any suitable type or types of connection security that may be negotiated for a connection. Exemplary types of connection security include encryption, authentication, anti-replay, and integrity checking, among others. A firewall rule may alternatively or additionally comprise requirements on what algorithm or algorithms are acceptable for a particular type of connection security, may require a level of security that an algorithm must meet, or may be based on any other suitable characteristic of connection security.
In one embodiment of the invention, connection security parameters of a firewall rule may comprise an identity of the remote computer 106 that was determined by the IPsec enforcement engine 102. For example, a firewall rule may comprise a connection security parameter on authentication data (e.g., a username of the user of remote computer 106) collected during an authentication process. In this manner, rather than depending on an origin address of received data to determine an identity of the remote computer 106, in some embodiments of the invention the firewall may filter received data based on the authenticated identity of the remote computer 106 and/or the identity of the user of the remote computer 106. Alternatively or additionally, embodiments of the invention may establish firewall rule parameters on any information received from or assigned to remote computer 106 during a security negotiation process such as the matching process 114 described above.
Types of connection security may be used in firewall rules either alone, in any suitable combination with one another, and/or in any suitable combination with other filter characteristics (examples of which are described above as being used with conventional firewalls). As with connection security policies, one firewall rule may require that most connections use authentication and another firewall rule may stipulate that connections from some computers be further secured by requiring encryption. Alternatively, a broad firewall rule may require that most connections be encrypted and checked for integrity, but a narrower firewall rule that takes precedence over the broad firewall rule may require only integrity checking and not encryption if the connection is being made to a particular computer behind the firewall or to a particular service transmitting or receiving the data. As a further exemplary alternative, a firewall rule may require that all connections be encrypted and the firewall may not have any exceptions or additional requirements for particular connections.
Firewall rules are typically, though not necessarily, enforced in a specific order, though the specific order may be any suitable order. In one embodiment, the firewall may, for example, have one or more broad rules that define the firewall's default policy and have a number of narrower rules that define exceptions to that policy, and may evaluate rules from broad to narrow to determine if the received transmission should be relayed. Thus, a firewall may examine multiple rules as part of this determination process.
In block 402, the process selects the first rule in the order by which firewall rules should be evaluated. In block 404, the process determines whether the received transmission matches the firewall parameters of this firewall rule. The firewall parameters may be based on any characteristic of the transmission discussed above (such as origin or destination port/address, size, service, etc.) or any other suitable characteristic, and includes all characteristics evaluated by the firewall except for any relating to IPsec. If the transmission does not meet any of these parameters, the process may, in some embodiments of the invention, return to block 402 and select the next firewall rule in the order for evaluation. If the data does meet all the parameters, however, the process may continue to block 406 wherein it compares the connection security level of the connection over which the data was received to the connection security parameters of the firewall rule. The connection security information used in this comparison may have been received from the IPsec enforcement engine 102 with the transmission (e.g., as part of the data structure described above), or may be retrieved from a data store of connection security levels based on a characteristic or characteristics about the transmission (e.g., origin address), or in any other suitable way. If the connection security level of the connection meets all the requirements of the firewall rule, then in block 408 the transmission may be allowed through the firewall and relayed to its intended recipient.
If the connection security level does not meet the requirements of the connection security level, however, in some embodiments of the invention the process may continue to block 410. In these embodiments of the invention, firewall rules may have a field for a “Block if not matched” flag for connection security parameters. In these embodiments, if received data meets the requirements of the firewall parameters of a firewall rule but does not meet the requirements of the connection security parameters, then the data may be blocked in block 412 without examining other firewall rules. By doing this, the firewall enforcement engine 104 may save processing time by not examining firewall rules when it may infer that the requirements of the firewall rules may not be met. Additionally, security may be improved as the “Block if not matched” technique may be used to prevent a similar firewall rule lower in a rule hierarchy or rule order from being evaluated. As described above, the blocking of data may be done in any suitable manner, such as by simply dropping/deleting the data or by sending an indicator of the blockage to the sender. In some embodiments of the invention, the “Block if not matched” flag may not be a particular data field in the rule, but may instead be stored alongside a data value in another data field of the firewall rule, as will be discussed in greater detail below.
If, however, the “Block if not matched” flag is not set, then the process continues to block 414, wherein the process will determine if there are more firewall rules to be evaluated. If there are more rules, the process will continue evaluating firewall rules by returning to block 402 and selecting the next firewall rule in the order. If there are no more firewall rules to evaluate, the process may block the data in block 412 in any suitable manner, as described above.
In some embodiments of the invention, a “Block if not matched” flag may be set for the entire security engine 100, in addition to or instead of for individual rules, such that if the requirements of firewall parameters of any rule are met while the connection security parameters of that rule are not met, the process will stop evaluating rules. In some embodiments of the invention, the “Block if not matched” flag may also apply to firewall parameters, such that execution may stop at block 404 if the firewall parameters of a rule are not met. It should be appreciated that any “Block if not matched” technique to save on rule evaluation processing may be implemented in any suitable manner and embodiments of the invention are not limited to implementing the technique in any particular way or, indeed, implementing the technique at all.
It should be appreciated that embodiments of the invention may determine whether a received transmission meets one or more firewall rules in any suitable manner, and are not limited to implementing the illustrative process shown in FIG. 4.
Firewall rules such as those evaluated by the exemplary process shown in FIG. 4 may be stored by security engine 100 in any suitable manner, including by a schema such as the one shown in FIG. 5. FIG. 5 shows a data structure 500 comprising a number of data fields and values that may be used in a firewall rule such as those maintained by security engine 100. It should be appreciated that a firewall rule may comprise any number of required and/or optional data fields, and that firewall rules maintained by embodiments of the invention are not limited to implementing any of the data fields shown in FIG. 5.
Data fields shown in FIG. 5 include any parameters on which the security engine 100 may make its decision to allow or block data. The ACTION field indicates what the security engine 100 should do if received data matches the remainder of the fields (e.g., whether it should be blocked or allowed). A firewall rule may also be enabled or disabled by a firewall administrator, and thus the firewall rule may comprise an ACTIVE field storing a “True” or “False” value. The firewall rule may also store a name for itself (the NAME field) and/or a description of its functionality (the DESC field) so that it might be distinguished to a user or administrator. The name field may take a definite value, or may take an indefinite value such as a reference to a text value in a dynamic linked library, such in FIG. 5. This latter approach may be taken in cases where different text values may be used in different circumstances, such as in different locations where different languages may be used. By referencing the text instead of storing the text directly, the firewall rule may be more readily adapted to implementation in different circumstances. Either technique (definite or indefinite values) may also be employed for the description of the firewall rule (the DESC field).
The firewall rule may also comprise one or more filtering parameters. A firewall rule may store an indicator of what type of traffic it applies to, either inbound or outbound (i.e., into the computer or computer network protected by the firewall or out of the computer or computer network) (the DIR field). The firewall rule may further comprise an indicator of what protocol or protocols it operates on (the PROTOCOL field), stored in any suitable way such as by the number assigned to the protocol by the Internet Assigned Numbers Authority (IANA). In FIG. 5, the PROTOCOL field has a value of 6, which corresponds to the Transmission Control Protocol (TCP). The local port used by the data may also be regulated by the firewall 100 (the LPORT field). This may be used to limit the type of data being transmitted, because certain types of data tend to be transmitted over certain ports, and may also serve to limit the number of ports open on the computer or computer network. The LPORT field may take any appropriate value (e.g., TCP ports are numbered from 0 to 65535). The firewall rule may also store an indicator of what range of remote addresses (the address of the sender/receiver) to which it applies, for both Internet Protocol Version 4 (IPv4) (the RA4 field) and Internet Protocol Version 6 (IPv6) (the RA6 field). These fields may take any suitable value, including a specific address or an indicator of a type of address (e.g., to restrict the firewall rule to an address in the same subnet as the security engine 100, the indicator may be LOCALSUBNET). A firewall rule may comprise an indicator of what service may send or receive the data (the SVC field), which may comprise a name for the service (e.g., XYZService), or a particular application that is sending or receiving the data (the APP field) with a full or relative path to the application's executable (e.g., % SYSTEMROOT %\system32\svchostexe).
As discussed above, in some embodiments of the present invention, firewall rules may also comprise requirements for connection security levels. These may be stored in any suitable manner, including as a single field taking multiple values indicating levels of connection security or as multiple fields each relating to a type of connection security and storing a value indicating whether that type is required (e.g., a true/false value) or what type of algorithm should be used for that type of connection security. FIG. 5 shows the former method, wherein the firewall rule has a SECURITY field taking multiple different values. The SECURITY field may take any suitable value, such as “Authenticate” for firewall rules that require that the transmitting computer authenticate with the security engine 100 before the data will be allowed through the firewall. The SECURITY field may also store a value of “StrictAuthenticate” for a stricter form of authentication, a value of “AuthenticatelntCheck” for authentication paired with integrity checking, a value of “AuthenticateEncrypt” for authentication paired with encryption, or any other suitable value. In embodiments of the invention, the SECURITY field may also be used as part of the “Block if not matched” rule mentioned above, by taking a value that indicates whether further evaluation should be blocked if the security level specified is not met. For example, the values for SECURITY previously described may indicate that evaluation should be blocked, while values such as “CAuthenticate” (for continue/Authenticate), “CStrictAuthenticate,” “CAuthenticatelntCheck,” or “CAuthenticateEncrypt” may be stored to indicate that evaluation should continue. In some embodiments of the invention, these values indicating that execution should continue may be stored in a different field that also signals that execution should continue, such as in a SECURITY2 field. Alternative embodiments of the invention may store values indicating a “Block if not matched” state in any other suitable manner.
As discussed above, in some embodiments of the invention, IPsec policies may be developed based on firewall rules. In some of these embodiments, the IPsec enforcement engine 102 may develop these policies on its own by querying the firewall rules. In some embodiments of the invention, the firewall enforcement engine 104 will create these policies in the IPsec enforcement engine 102 based on the firewall rules. A firewall rule may therefore have a data field such as AUTOGENIPSEC to inform the firewall enforcement engine whether it should create IPsec policies based on that firewall rule. This data field may take a true or false value, or any other suitable value.
Firewall rules may also store other data fields and other values not shown in FIG. 5. For example, a firewall rule may have a PROFILE field indicating to which computing profile it applies. A computing profile may be set by a user or an operating system to indicate an environment that the computer apparatus is in, such that network policies such as firewall and IPsec policies, or other network settings, may be set appropriately. In this manner, some firewall rules may only be applied to some environments/profiles. The PROFILE field may take any suitable value, including “Domain,” which may indicate that the rule applies when the computer apparatus is in use in a managed network domain, “Private,” which may indicate that the rule applies when the computer apparatus is in use in a private network such as a home network, and “Public,” which may indicate that the rule applies when the computer apparatus is in use in a public network such as a commercial network (e.g., in a coffeehouse). A firewall may also store a GROUP indicator, which may link together two or more firewall rules that relate to a particular experience or feature on the computer apparatus (e.g., an application). In this manner, all firewall rules relating to a particular experience or feature on the computer apparatus may be simultaneously enabled or disabled when referred to as a group, or other suitable group operations may be performed on the firewall rules.
Firewall rules such as the one shown in the schema of FIG. 5 may be created or managed in any suitable manner. For example, a command line interface may be used to create firewall rules that takes as input various parameters that should be used in creating the rule. For example, a command line interface such as
netsh advfirewall firewall add rule dir=in action=allow name=test
Localport=80 protocol=tcp program=c:\sfpcopy.exe
security=authenticate

may be used. In this example, netsh may be a program that performs many functions related to network administration, and takes as input values indicating what particular function should be performed (e.g., “advfirewall firewall add rule” indicates that netsh should use its advanced firewall functionality to add a rule to the firewall). The remaining input, in the example, relate to the parameters that should be used in the new firewall rule, corresponding to DIR, ACTION, NAME, LPORT, PROTOCOL, APP, and SECURITY, discussed above. It should be appreciated that embodiments of the invention may not implement a command such as netsh and may instead implement any other suitable command line interface.
As an alternative to the command line interface, or in addition to the command line interface, any suitable graphical interface may be used to create or manage firewall rules, such as the one shown in FIG. 6. FIG. 6 shows one step of a process of creating a firewall rule using a graphical interface. Looking on the left side of interface 600, the various steps may be seen, such as “Rule Type,” “Program,” “Action,” “Users and Computers,” “Profile,” and “Name.” In the step shown, “Action,” a user may indicate whether to block or allow data that fits the rule, as well as indicate whether to allow or block the data based on connection security parameters such as whether the connection is authenticated, encrypted, and/or integrity-checked. It should be appreciated that any suitable graphic interface may be used for creating firewall rules, and that embodiments of the invention are not limited to implementing the graphic interface shown in FIG. 6.
The aspects of the present invention described herein may be implemented on any of numerous computer system configurations and are not limited to any particular type of configuration. FIGS. 7-10 show various computer systems in which embodiments of the invention may act, though others are possible.
FIG. 7 shows a computer apparatus 700 which may host security engine 100 and that may be used in accordance with one or more embodiments of the invention. It should be appreciated that FIG. 7 is intended to be neither a depiction of necessary components for a computing device to operate as a computer apparatus with embodiments of the invention, nor a comprehensive depiction. As discussed above, any suitable computing device may be used as a computer apparatus 700 to host a security engine 100. Computer apparatus 700 may be a computing device designed for multiple purposes and for use by a user, such as a desktop personal computer, a laptop personal computer, a server, a personal digital assistant (PDA), a smart/mobile telephone, a web-enabled television set, or any other suitable electronic device. Alternatively, computer apparatus 700 may be any computing device not intended for typical use by a user or intended for a single purpose or limited purposes, such as a server, a rack-mounted networking device, or a standalone networking device such as a switch, hub, router, access point, hardware firewall, or any other suitable electronic device.
As shown in FIG. 7, computer apparatus 700 comprises a processor 702, a network adapter 704, and computer-readable media 706. Network adapter 704 may be any suitable hardware and/or software to enable computer apparatus 700 to communicate with any other suitable computing device over any suitable computing network. The computing network may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet. Computer-readable media 706 may be adapted to store data to be processed and/or instructions to be executed by processor 702. Processor 702 enables processing of data and execution of instructions. The data and instructions may be stored on the computer-readable media 706 and may, for example, enable communication between components of the computer apparatus 700.
In accordance with some embodiments of the invention, the data and instructions stored on computer-readable media 706 may comprise a security engine 100, as described above. Security engine 100 may be implemented in any suitable manner and may, for example, be divided into multiple logical parts, such as an IPsec connection security enforcement engine 102 and a firewall enforcement engine 104.
As discussed above, security engine 100 or the parts thereof may be implemented in any suitable manner. FIGS. 8 and 9 show exemplary implementations for a firewall enforcement engine 104 and an IPsec enforcement engine 102, respectively. Again, it should be appreciated that FIGS. 8 and 9 are intended to be neither a depiction of necessary components for a firewall enforcement engine 102 or an IPsec enforcement engine 102 to act in accordance with embodiments of the invention, or a comprehensive depiction.
As shown in FIG. 8, firewall enforcement engine 104 comprises a firewall rules store 800 for storing firewall rules that have been implemented by security engine 100. These rules, as discussed above, may be active or inactive, and may comprise multiple different parameters. These rules may be stored in any suitable manner, such as in a flat file, a database, or any other suitable data storage method. Firewall enforcement engine 104 may further comprise a rules checking engine 802 for determining whether received data meets the requirements of one or more firewall rules. Rules checking engine 802 may implement any suitable process for making this determination, including process 124 described above.
FIG. 9 shows an exemplary embodiment of an IPsec enforcement engine 102 that may be used in accordance with embodiments of the invention. As shown, IPsec enforcement engine 102 comprises an IPsec policy/policies store 900 for storing a policy or policies by which the IPsec enforcement engine will approve or deny connection requests during negotiation. IPsec enforcement engine 102 further comprises an IPsec negotiating/confirming engine 902 for determining a negotiated connection security level and for confirming that received data meets that negotiated security level. IPsec negotiating/confirming engine 902 may implement any suitable process or processes for negotiating a security level and confirming that data meets that level, such as processes 114 and 122 described above. IPsec enforcement engine may further comprise a negotiated security level store 904 in which it may store indicators of security levels that have been negotiated and may query the negotiated security level store 904 during a confirmation process such as process 122. The negotiated security levels may be stored in any suitable manner, including in a flat file, database, or any other suitable data storage method.
As discussed above, it should be appreciated that security engine 100 may be implemented in any suitable manner, and embodiments of the invention are not limited to implementing the exemplary embodiments of security engine 100 shown in FIGS. 7-9.
Computer apparatus 700 may be disposed with a computer system and connected to a computer network. FIG. 10A shows one exemplary computer system in which embodiments of the invention may act, though others are possible. In FIG. 10A, computer apparatus 700 is connected to a communication network 1000. As discussed above, communication network 1000 may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet. In FIG. 10A, computer apparatus 700 is connected to remote computer 106 through communication network 1000. In the embodiment of FIG. 10A, remote computer 106 may be communicating directly with computer apparatus 700. Computer apparatus 700 is, therefore, a terminal point of the connection, and security engine 100 may only be securing computer apparatus 700 and not any other computing devices in the network. When data received from remote computer 106 is received and approved, then it may be provided directly to a process or application on computer apparatus 700 and not relayed to another device over a network. Similarly, outbound data being sent from computer apparatus 700 to remote computer 106 through the security engine 100 may be received directly from a process or application and not over a network from another device.
Alternatively, computer apparatus 700, as discussed above, may be a single-purpose or limited-purpose device disposed within a computer network protecting multiple computers. Such an embodiment is shown in FIG. 10B. In FIG. 10B, computer apparatus 700 is a stand-alone device such as a switch, hub, router, access point, hardware firewall, or other suitable electronic device. Computer apparatus 700, as in FIG. 10A, may be connected to remote computer 106 through a communication network 1000, but may also be connected to a communication network 1002. Just as communication network 1000, communication network 1002 may be any suitable wired and/or wireless communication medium or media for exchanging data between two or more computers, including the Internet. Computing device 1004 may be connected to communication network 1002, and may be being protected by firewall 100 on computer apparatus 700. In this manner, for computing device 1004 to send or receive data from certain computers, the data must be examined by security engine 100 on computer apparatus 700 before it is relayed to either computing device 1004, in the case of inbound data, or another computer such as remote computer 106, in the case of outbound data.
It should be appreciated that embodiments of the invention are not limited to operating in the exemplary computer systems shown in FIGS. 10A and 10B, and that embodiments of the invention may be implemented in any suitable computer system. Additionally, though remote computer 106 and computer apparatus 700 are shown in FIG. 10A as desktop computers, and remote computer 106 and computing device 1004 are shown in FIG. 10B as desktop computers, these computing devices may be implemented as any suitable computing device, including a desktop personal computer, a laptop personal computer, a server, a personal digital assistant (PDA), a smart/mobile telephone, a web-enabled television set, or any other suitable electronic device.
The above-described embodiments of the present invention can be implemented in any of numerous ways. For example, the embodiments may be implemented using hardware, software or a combination thereof. When implemented in software, the software code can be executed on any suitable processor or collection of processors, whether provided in a single computer or distributed among multiple computers.
Further, it should be appreciated that a computer may be embodied in any of a number of forms, such as a rack-mounted computer, a desktop computer, a laptop computer, or a tablet computer. Additionally, a computer may be embedded in a device not generally regarded as a computer but with suitable processing capabilities, including a Personal Digital Assistant (PDA), a smart phone or any other suitable portable or fixed electronic device.
Also, a computer may have one or more input and output devices. These devices can be used, among other things, to present a user interface. Examples of output devices that can be used to provide a user interface include printers or display screens for visual presentation of output and speakers or other sound generating devices for audible presentation of output. Examples of input devices that can be used for a user interface including keyboards, and pointing devices, such as mice, touch pads, and digitizing tables. As another example, a computer may receive input information through speech recognition or in other audible format.
Such computers may be interconnected by one or more networks in any suitable form, including as a local area network or a wide area network, such as an enterprise network or the Internet. Such networks may be based on any suitable technology and may operate according to any suitable protocol and may include wireless networks, wired networks or fiber optic networks.
Also, the various methods or methods outlined herein may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms. Additionally, such software may be written using any of a number of suitable programming languages and/or conventional programming or scripting tools, and also may be compiled as executable machine language code or intermediate code that is executed on a framework or virtual machine.
In this respect, the invention may be embodied as a computer-readable medium (or multiple computer readable media) (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, circuit configurations in Field Programmable Gate Arrays or other semiconductor devices, etc.) encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the various embodiments of the invention discussed above. The computer readable medium or media can be transportable, such that the program or programs stored thereon can be loaded onto one or more different computers or other processors to implement various aspects of the present invention as discussed above.
The terms “program” or “software” are used herein in a generic sense to refer to any type of computer code or set of computer-executable instructions that can be employed to program a computer or other processor to implement various aspects of the present invention as discussed above. Additionally, it should be appreciated that according to one aspect of this embodiment, one or more computer programs that when executed perform methods of the present invention need not reside on a single computer or processor, but may be distributed in a modular fashion amongst a number of different computers or processors to implement various aspects of the present invention.
Computer-executable instructions may be in many forms, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Typically the functionality of the program modules may be combined or distributed as desired in various embodiments.
Various aspects of the present invention may be used alone, in combination, or in a variety of arrangements not specifically discussed in the embodiments described in the foregoing and is therefore not limited in its application to the details and arrangement of components set forth in the foregoing description or illustrated in the drawings. For example, aspects described in one embodiment may be combined in any manner with aspects described in other embodiments.
Use of ordinal terms such as “first,” “second,” “third,” etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term) to distinguish the claim elements.
Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of “including,” “comprising,” or “having,” “containing,” “involving,” and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items.
Having thus described several aspects of at least one embodiment of this invention, it is to be appreciated that various alterations, modifications, and improvements will readily occur to those skilled in the art. Such alterations, modifications, and improvements are intended to be part of this disclosure, and are intended to be within the spirit and scope of the invention. Accordingly, the foregoing description and drawings are by way of example only.

Claims (20)

What is claimed is:
1. A method of regulating transmissions using a firewall, the method comprising:
receiving a first transmission at the firewall, the firewall being associated with at least a first multi-parameter firewall rule and at least one other multi-parameter firewall rule, each of the first multi-parameter firewall rule and the at least one other multi-parameter firewall rule having at least a first parameter, a connection security parameter relating to one or more types of connection security, a first field that specifies an action for that multi-parameter firewall rule, and another field that specifies whether transmissions not meeting the connection security parameter should be blocked;
determining that properties of the first transmission do not meet the first parameter of the first multi-parameter firewall rule;
handling the first transmission according to the at least one other multi-parameter firewall rule without determining whether the properties of the first transmission meet the connection security parameter of the first multi-parameter firewall rule;
receiving a second transmission at the firewall;
determining that properties of the second transmission meet the first parameter of the first multi-parameter firewall rule and do not meet the connection security parameter of the first multi-parameter firewall rule;
blocking the second transmission with the firewall without determining whether the properties of the second transmission meet parameters of the at least one other multi-parameter firewall rule if the other field of the first multi-parameter firewall rule specifies that transmissions not meeting the connection security parameter should be blocked;
receiving a third transmission at the firewall;
determining that properties of the third transmission meet the first parameter of the first multi-parameter firewall rule and meet the connection security parameter of the first multi-parameter firewall rule; and
taking an action regarding the third transmission that is specified by the first field of the first multi-parameter firewall rule.
2. The method of claim 1, wherein handling the first transmission according to the at least one other multi-parameter firewall rule includes:
determining that the properties of the first transmission meet the first parameter of the at least one other multi-parameter firewall rule; and
handling the first transmission according to an evaluation of the connection security parameter of the at least one other multi-parameter firewall rule.
3. The method of claim 1, wherein taking the action specified by the first field of the first multi-parameter firewall rule comprises allowing the third transmission through the firewall.
4. The method of claim 1, wherein determining that the properties of the third transmission meet the first parameter of the first multi-parameter firewall rule and meet the connection security parameter of the first multi-parameter firewall rule includes:
determining that the properties of the third transmission meet the first parameter of the first multi-parameter firewall rule by evaluating at least one transmission characteristic of the third transmission relative to the first parameter of the first multi-parameter firewall rule; and
determining that the properties of the third transmission meet the connection security parameter of the first multi-parameter firewall rule by evaluating the third transmission for the one or more types of connection security.
5. The method of claim 4, wherein evaluating the at least one transmission characteristic comprises evaluating a source address, a destination address, a source port, a destination port, a protocol, a data size, and/or a source application.
6. The method of claim 4, wherein determining that the properties of the third transmission meet the connection security parameter of the first multi-parameter firewall rule comprises determining that the properties of the third transmission meet at least one connection security level, the at least one connection security level being specified as a constraint of a connection security policy regulating connections between a first device and a second device.
7. The method of claim 6, wherein determining that the properties of the third transmission meet the at least one connection security level comprises determining that connection security for the third transmission meets or exceeds the at least one connection security level.
8. The method of claim 4, wherein evaluating the third transmission for the one or more types of connection security comprises evaluating the third transmission for a type of connection security including authentication, integrity checking, encryption, and/or anti-replay.
9. The method of claim 8, wherein evaluating the third transmission for one or more types of connection security comprises evaluating the third transmission to determine, if the third transmission uses connection security, a level of security of the connection security that is used.
10. At least one computer-readable memory having stored thereon computer-executable instructions that, in response to execution by a firewall device, cause the firewall device to perform operations, the operations comprising:
receiving a first transmission at the firewall device, the firewall device being associated with at least a first firewall rule of a set of firewall rules, the first firewall rule comprising a first parameter relating to at least one transmission characteristic, a connection security parameter relating to one or more types of connection security, a first field that specifies an action for that firewall rule, and a connection security field that specifies whether transmissions not meeting the connection security parameter are to be blocked;
determining that at least one transmission characteristic of the first transmission does not meet the first parameter of the first firewall rule;
handling the first transmission according to at least one other firewall rule of the set of firewall rules without determining whether a connection security characteristic of the first transmission meets the connection security parameter of the first firewall rule;
receiving a second transmission at the firewall device;
determining that at least one transmission characteristic of the second transmission meets the first parameter of the first firewall rule and a connection security characteristic of the second transmission does not meet the connection security parameter of the first firewall rule;
blocking the second transmission with the firewall device without regard to additional firewall rules of the set of firewall rules if the connection security field of the first firewall rule specifies that transmissions not meeting the connection security parameter are to be blocked;
receiving a third transmission at the firewall device;
determining that at least one transmission characteristic of the third transmission meets the first parameter of the first firewall rule and a connection security characteristic of the third transmission meets the connection security parameter of the first firewall rule; and
taking an action regarding the third transmission that is specified by the first field of the first firewall rule.
11. The at least one computer-readable memory of claim 10, wherein handling the first transmission according to the at least one other firewall rule includes:
determining that the at least one transmission characteristic of the first transmission meets a first parameter of the at least one other firewall rule; and
handling the first transmission according to an evaluation of a second parameter of the at least one other firewall rule.
12. The at least one computer-readable memory of claim 10, wherein the at least one transmission characteristic of the first transmission includes a source address, destination address, source port, destination port, protocol, data size, and/or a source application.
13. The at least one computer-readable memory of claim 10, wherein determining that the connection security characteristic of the third transmission meets the connection security parameter of the first firewall rule comprises determining that the connection security characteristic of the third transmission meets at least one connection security level, the at least one connection security level being specified as a constraint of a connection security policy regulating connections between a first device and a second device.
14. The at least one computer-readable memory of claim 10, wherein determining that the at least one transmission characteristic of the second transmission meets the first parameter of the first firewall rule and the connection security characteristic of the second transmission does not meet the connection security parameter of the first firewall rule includes evaluating the second transmission to determine, if the second transmission uses connection security, a level of the connection security that is used.
15. The at least one computer-readable memory of claim 10, wherein determining that the first firewall rule indicates that the second transmission should be blocked comprises determining that a parameter of the first firewall rule indicates that the second transmission should be blocked if the first parameter is met and the connection security second parameter is not met.
16. A firewall device, comprising:
at least one processor; and
at least one computer-readable memory having processor-executable instructions stored therein that, in response to execution by the at least one processor, cause the firewall device to regulate transmission of data through the firewall device based on a set of two or more firewall rules, each of the two or more firewall rules having at least a first parameter and a connection security parameter, the regulation of transmission of data comprising:
receiving a first transmission;
determining that properties of the first transmission do not meet the first parameter of a first firewall rule of the set of firewall rules;
handling the first transmission according to at least one other firewall rule of the set of firewall rules without determining whether the properties of the first transmission meet the connection security parameter of the first firewall rule;
receiving a second transmission;
determining that properties of the second transmission meet the first parameter of the first firewall rule;
determining that the properties of the second transmission do not meet the connection security parameter of the first firewall rule, the connection security parameter of the first firewall rule relating to one or more types of connection security;
in response to the determination that the properties of the second transmission do not meet the connection security parameter of the first firewall rule, determining whether the second transmission is to be blocked based on a setting in a connection security field that specifies whether transmissions not meeting the connection security parameter are to be blocked;
if the connection security field specifies that transmissions not meeting the connection security parameter are to be blocked, blocking the second transmission without determining whether the properties of the second transmission meet parameters of a next firewall rule of the set of firewall rules;
receiving a third transmission;
determining that properties of the third transmission meet the first parameter of the first firewall rule and meet the connection security parameter of the first firewall rule; and
in response to the determination that the properties of the third transmission meet the first parameter of the first firewall rule and meet the connection security parameter of the first firewall rule, taking an action regarding the third transmission that is specified by the first firewall rule.
17. The firewall device of claim 16, wherein determining whether the second transmission is to be blocked comprises evaluating a configuration of the firewall device, separate from the set of firewall rules, for an indication of whether the second transmission is to be blocked.
18. The firewall device of claim 16, wherein determining whether the second transmission is to be blocked comprises determining whether another parameter of the first firewall rule indicates that the second transmission is to be blocked.
19. The firewall device of claim 16, wherein handling the first transmission according to the at least one other firewall rule of the set of firewall rules comprises:
determining whether the properties of the first transmission meet first and connection security parameters of the next firewall rule of the set of firewall rules.
20. The firewall device of claim 16, wherein:
determining that the properties of the first transmission meet the first parameter of the first firewall rule comprises evaluating at least one transmission characteristic of the first transmission; and
determining that the properties of the third transmission meet the connection security parameter of the first firewall rule comprises evaluating the third transmission for the one or more types of connection security.
US13/427,436 2007-05-18 2012-03-22 Incorporating network connection security levels into firewall rules Expired - Fee Related US8776208B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/427,436 US8776208B2 (en) 2007-05-18 2012-03-22 Incorporating network connection security levels into firewall rules

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/804,423 US8166534B2 (en) 2007-05-18 2007-05-18 Incorporating network connection security levels into firewall rules
US13/427,436 US8776208B2 (en) 2007-05-18 2012-03-22 Incorporating network connection security levels into firewall rules

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/804,423 Continuation US8166534B2 (en) 2007-05-18 2007-05-18 Incorporating network connection security levels into firewall rules

Publications (2)

Publication Number Publication Date
US20120185929A1 US20120185929A1 (en) 2012-07-19
US8776208B2 true US8776208B2 (en) 2014-07-08

Family

ID=40028860

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/804,423 Active 2030-04-27 US8166534B2 (en) 2007-05-18 2007-05-18 Incorporating network connection security levels into firewall rules
US13/427,436 Expired - Fee Related US8776208B2 (en) 2007-05-18 2012-03-22 Incorporating network connection security levels into firewall rules

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/804,423 Active 2030-04-27 US8166534B2 (en) 2007-05-18 2007-05-18 Incorporating network connection security levels into firewall rules

Country Status (1)

Country Link
US (2) US8166534B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9596219B2 (en) 2010-04-19 2017-03-14 Amaani, Llc Method of transmission of encrypted documents

Families Citing this family (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8189621B2 (en) 2006-05-12 2012-05-29 Microsoft Corporation Stack signaling to application with lack of requested bandwidth
US8144793B2 (en) 2006-12-12 2012-03-27 Microsoft Corporation Cognitive multi-user OFDMA
US7929623B2 (en) * 2007-03-30 2011-04-19 Microsoft Corporation FEC in cognitive multi-user OFDMA
US7970085B2 (en) 2007-05-08 2011-06-28 Microsoft Corporation OFDM transmission and reception for non-OFDMA signals
US8166534B2 (en) 2007-05-18 2012-04-24 Microsoft Corporation Incorporating network connection security levels into firewall rules
US8266685B2 (en) * 2007-05-18 2012-09-11 Microsoft Corporation Firewall installer
US20090019170A1 (en) * 2007-07-09 2009-01-15 Felix Immanuel Wyss System and method for secure communication configuration
US8374130B2 (en) 2008-01-25 2013-02-12 Microsoft Corporation Orthogonal frequency division multiple access with carrier sense
US8448220B2 (en) * 2008-04-29 2013-05-21 Mcafee, Inc. Merge rule wizard
US20090300748A1 (en) * 2008-06-02 2009-12-03 Secure Computing Corporation Rule combination in a firewall
US8490171B2 (en) * 2008-07-14 2013-07-16 Tufin Software Technologies Ltd. Method of configuring a security gateway and system thereof
US8904514B2 (en) 2010-04-12 2014-12-02 Hewlett-Packard Development Company, L.P. Implementing a host security service by delegating enforcement to a network device
US8914841B2 (en) * 2010-11-24 2014-12-16 Tufin Software Technologies Ltd. Method and system for mapping between connectivity requests and a security rule set
US9794731B2 (en) 2010-12-31 2017-10-17 Google Technology Holdings LLC Method and apparatus for providing secure communication in a self-organizing network
US10741859B2 (en) 2012-04-02 2020-08-11 Hydrogenics Corporation Fuel cell start up method
FR2992810A1 (en) * 2012-06-29 2014-01-03 France Telecom METHOD FOR TRANSMITTING A MESSAGE BY A SERVER OF A MULTIMEDIA IP NETWORK HEART, AND SERVER
JP6053364B2 (en) * 2012-07-19 2016-12-27 キヤノン株式会社 Information processing system, server device, client device, and control method
US9380081B1 (en) * 2013-05-17 2016-06-28 Ca, Inc. Bidirectional network data replications
GB2514550A (en) 2013-05-28 2014-12-03 Ibm System and method for providing access to a resource for a computer from within a restricted network and storage medium storing same
US9032524B2 (en) * 2013-09-10 2015-05-12 HAProxy S.á.r.l. Line-rate packet filtering technique for general purpose operating systems
US9087079B1 (en) * 2014-03-07 2015-07-21 Ricoh Company, Ltd. Apparatus, method, and computer-readable storage medium for displaying a map and an image of a device
RU2598337C2 (en) * 2014-12-19 2016-09-20 Закрытое акционерное общество "Лаборатория Касперского" System and method of selecting means of interception of data transmitted over network
US10681088B2 (en) 2015-09-30 2020-06-09 International Business Machines Corporation Data security system
EP3417396A4 (en) * 2016-02-15 2019-11-06 Michael C. Wood System and method for blocking persistent malware
US11657175B2 (en) * 2016-02-23 2023-05-23 Philips Medical Systems Technologies Ltd Patient medical data acquisition system and method using an external device
US11258763B2 (en) 2016-11-25 2022-02-22 Cybernetiq, Inc. Computer network security configuration visualization and control system
US10762183B1 (en) 2017-04-24 2020-09-01 Architecture Technology Corporation Secure authentication using biometric factors
US10999262B1 (en) * 2017-04-24 2021-05-04 Architecture Technology Corporation High assurance tactical cross-domain hub
US10917384B2 (en) * 2017-09-12 2021-02-09 Synergex Group Methods, systems, and media for modifying firewalls based on dynamic IP addresses
US10276175B1 (en) 2017-11-28 2019-04-30 Google Llc Key phrase detection with audio watermarking
US11108739B2 (en) 2018-02-20 2021-08-31 Blackberry Limited Firewall incorporating network security information
US11451521B2 (en) * 2018-10-18 2022-09-20 Paypal, Inc. Systems and methods for encrypted data transmission
US20200314066A1 (en) * 2019-03-29 2020-10-01 Cloudflare, Inc. Validating firewall rules using data at rest
US11841952B2 (en) 2020-02-26 2023-12-12 Armis Security Ltd. Techniques for detecting exploitation of manufacturing device vulnerabilities
US11481503B2 (en) 2020-02-26 2022-10-25 Armis Security Ltd. Techniques for detecting exploitation of medical device vulnerabilities
JP2022114391A (en) * 2021-01-26 2022-08-05 京セラドキュメントソリューションズ株式会社 Electronic apparatus
US11947655B1 (en) 2021-02-02 2024-04-02 Architecture Technology Corporation Secure authentication using companion trust
FR3140503A1 (en) * 2022-09-29 2024-04-05 Orange Methods for proving and verifying the use of a cipher suite, verification entity, communication devices, terminal, and associated computer program

Citations (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5968176A (en) 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US6327660B1 (en) 1998-09-18 2001-12-04 Intel Corporation Method for securing communications in a pre-boot environment
US6493756B1 (en) 1999-10-28 2002-12-10 Networks Associates, Inc. System and method for dynamically sensing an asynchronous network event within a modular framework for network event processing
US20030097590A1 (en) 2001-11-19 2003-05-22 Tuomo Syvanne Personal firewall with location dependent functionality
US20030118038A1 (en) * 2001-11-29 2003-06-26 Mika Jalava Personalized firewall
US20030142673A1 (en) 2002-01-28 2003-07-31 Basavaraj Patil Method and system for securing mobile IPV6 home address option using ingress filtering
US20040003290A1 (en) 2002-06-27 2004-01-01 International Business Machines Corporation Firewall protocol providing additional information
US20040054610A1 (en) 2001-11-28 2004-03-18 Monetaire Monetaire wealth management platform
US6721890B1 (en) 1999-05-04 2004-04-13 Microsoft Corporation Application specific distributed firewall
US20040090921A1 (en) 2002-10-25 2004-05-13 General Instrument Corporation Method and apparatus for testing an IP network
US20040100951A1 (en) 2002-09-18 2004-05-27 O'neill Alan Methods and apparatus for using a care of address option
US20040111643A1 (en) 2002-12-02 2004-06-10 Farmer Daniel G. System and method for providing an enterprise-based computer security policy
US20040268123A1 (en) 2003-06-27 2004-12-30 Nokia Corporation Security for protocol traversal
US20050091355A1 (en) * 2003-10-02 2005-04-28 International Business Machines Corporation Providing a necessary level of security for computers capable of connecting to different computing environments
US20050097358A1 (en) * 2003-10-29 2005-05-05 Boris Yanovsky Method and apparatus for datastream
US6915437B2 (en) 2000-12-20 2005-07-05 Microsoft Corporation System and method for improved network security
US6917980B1 (en) 2000-12-12 2005-07-12 International Business Machines Corporation Method and apparatus for dynamic modification of internet firewalls using variably-weighted text rules
US6928553B2 (en) * 2001-09-18 2005-08-09 Aastra Technologies Limited Providing internet protocol (IP) security
US20050210291A1 (en) 2004-03-22 2005-09-22 Toui Miyawaki Storage area network system using internet protocol, security system, security management program and storage device
US20050229246A1 (en) 2004-03-31 2005-10-13 Priya Rajagopal Programmable context aware firewall with integrated intrusion detection system
US20050240990A1 (en) 2004-04-22 2005-10-27 Microsoft Corporation Systems and methods for managing networks
US20050262554A1 (en) 2004-05-18 2005-11-24 International Business Machines Visualization of firewall rules in an auto provisioning environment
US20050268331A1 (en) 2004-05-25 2005-12-01 Franck Le Extension to the firewall configuration protocols and features
US20060015935A1 (en) 2001-10-26 2006-01-19 Microsoft Corporation Method for providing user authentication/authorization and distributed firewall utilizing same
US6996842B2 (en) 2001-01-30 2006-02-07 Intel Corporation Processing internet protocol security traffic
US7028336B2 (en) 1996-02-06 2006-04-11 Graphon Corporation Firewall providing enhanced network security and user transparency
US20060195899A1 (en) 2005-02-25 2006-08-31 Microsoft Corporation Providing consistent application aware firewall traversal
US20070016945A1 (en) 2005-07-15 2007-01-18 Microsoft Corporation Automatically generating rules for connection security
US7188365B2 (en) 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US20070204338A1 (en) 2005-02-17 2007-08-30 At&T Corp Reverse Firewall with Self-Provisioning
US7284267B1 (en) 2001-03-08 2007-10-16 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US7308706B2 (en) 2002-10-28 2007-12-11 Secure Computing Corporation Associative policy model
US20080148380A1 (en) 2006-10-30 2008-06-19 Microsoft Corporation Dynamic updating of firewall parameters
US20080282314A1 (en) 2007-05-09 2008-11-13 Microsoft Corporation Firewall with policy hints
US20080289027A1 (en) 2007-05-18 2008-11-20 Microsoft Corporation Incorporating network connection security levels into firewall rules
US20080289026A1 (en) 2007-05-18 2008-11-20 Microsoft Corporation Firewall installer
US20090006847A1 (en) 2007-06-28 2009-01-01 Microsoft Corporation Filtering kernel-mode network communications
US20090007219A1 (en) 2007-06-28 2009-01-01 Microsoft Corporation Determining a merged security policy for a computer system
US7496962B2 (en) 2004-07-29 2009-02-24 Sourcefire, Inc. Intrusion detection strategies for hypertext transport protocol
US7509673B2 (en) 2003-06-06 2009-03-24 Microsoft Corporation Multi-layered firewall architecture
US20090083727A1 (en) 2007-09-26 2009-03-26 International Business Machines Corporation Method and system for securely installing patches for an operating system
US20090150977A1 (en) 2002-06-13 2009-06-11 Engedi Technologies, Inc. Secure remote management appliance
US7559082B2 (en) 2003-06-25 2009-07-07 Microsoft Corporation Method of assisting an application to traverse a firewall
US7603333B2 (en) 2006-06-14 2009-10-13 Microsoft Corporation Delayed policy evaluation
US20090265755A1 (en) 2008-04-18 2009-10-22 International Business Machines Corporation Firewall methodologies for use within virtual environments
US7639714B2 (en) 2003-11-12 2009-12-29 The Trustees Of Columbia University In The City Of New York Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
US7701945B2 (en) 2006-08-10 2010-04-20 Sourcefire, Inc. Device, system and method for analysis of segments in a transmission control protocol (TCP) session
US20100107172A1 (en) 2003-12-31 2010-04-29 Sychron Advanced Technologies, Inc. System providing methodology for policy-based resource allocation
US7739728B1 (en) 2005-05-20 2010-06-15 Avaya Inc. End-to-end IP security
US20100180331A1 (en) 2006-03-30 2010-07-15 Nec Corporation Communication terminal device, rule distribution device, and program
US7760733B1 (en) 2005-10-13 2010-07-20 Chelsio Communications, Inc. Filtering ingress packets in network interface circuitry
US7877795B2 (en) 2006-10-30 2011-01-25 At&T Intellectual Property I, Lp Methods, systems, and computer program products for automatically configuring firewalls
US7904940B1 (en) 2004-11-12 2011-03-08 Symantec Corporation Automated environmental policy awareness
US20110072506A1 (en) 2009-09-24 2011-03-24 Fisher-Rosemount Systems, Inc. Integrated unified threat management for a process control system
US7966654B2 (en) 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering
US7987503B2 (en) 2005-07-30 2011-07-26 Huawei Technologies Co., Ltd. Firewall control system based on a next generation network service and method thereof
US20110219444A1 (en) 2004-03-10 2011-09-08 Patrick Turley Dynamically adaptive network firewalls and method, system and computer program product implementing same

Patent Citations (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7028336B2 (en) 1996-02-06 2006-04-11 Graphon Corporation Firewall providing enhanced network security and user transparency
US5968176A (en) 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US6327660B1 (en) 1998-09-18 2001-12-04 Intel Corporation Method for securing communications in a pre-boot environment
US6721890B1 (en) 1999-05-04 2004-04-13 Microsoft Corporation Application specific distributed firewall
US6493756B1 (en) 1999-10-28 2002-12-10 Networks Associates, Inc. System and method for dynamically sensing an asynchronous network event within a modular framework for network event processing
US6917980B1 (en) 2000-12-12 2005-07-12 International Business Machines Corporation Method and apparatus for dynamic modification of internet firewalls using variably-weighted text rules
US6915437B2 (en) 2000-12-20 2005-07-05 Microsoft Corporation System and method for improved network security
US6996842B2 (en) 2001-01-30 2006-02-07 Intel Corporation Processing internet protocol security traffic
US7284267B1 (en) 2001-03-08 2007-10-16 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US6928553B2 (en) * 2001-09-18 2005-08-09 Aastra Technologies Limited Providing internet protocol (IP) security
US20060015935A1 (en) 2001-10-26 2006-01-19 Microsoft Corporation Method for providing user authentication/authorization and distributed firewall utilizing same
US20030097590A1 (en) 2001-11-19 2003-05-22 Tuomo Syvanne Personal firewall with location dependent functionality
US20040054610A1 (en) 2001-11-28 2004-03-18 Monetaire Monetaire wealth management platform
US20030118038A1 (en) * 2001-11-29 2003-06-26 Mika Jalava Personalized firewall
US20030142673A1 (en) 2002-01-28 2003-07-31 Basavaraj Patil Method and system for securing mobile IPV6 home address option using ingress filtering
US7188365B2 (en) 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US20090150977A1 (en) 2002-06-13 2009-06-11 Engedi Technologies, Inc. Secure remote management appliance
US20040003290A1 (en) 2002-06-27 2004-01-01 International Business Machines Corporation Firewall protocol providing additional information
US20040100951A1 (en) 2002-09-18 2004-05-27 O'neill Alan Methods and apparatus for using a care of address option
US20040090921A1 (en) 2002-10-25 2004-05-13 General Instrument Corporation Method and apparatus for testing an IP network
US7308706B2 (en) 2002-10-28 2007-12-11 Secure Computing Corporation Associative policy model
US20040111643A1 (en) 2002-12-02 2004-06-10 Farmer Daniel G. System and method for providing an enterprise-based computer security policy
US7509673B2 (en) 2003-06-06 2009-03-24 Microsoft Corporation Multi-layered firewall architecture
US7559082B2 (en) 2003-06-25 2009-07-07 Microsoft Corporation Method of assisting an application to traverse a firewall
US20040268123A1 (en) 2003-06-27 2004-12-30 Nokia Corporation Security for protocol traversal
US20050091355A1 (en) * 2003-10-02 2005-04-28 International Business Machines Corporation Providing a necessary level of security for computers capable of connecting to different computing environments
US20050097358A1 (en) * 2003-10-29 2005-05-05 Boris Yanovsky Method and apparatus for datastream
US7639714B2 (en) 2003-11-12 2009-12-29 The Trustees Of Columbia University In The City Of New York Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
US20100107172A1 (en) 2003-12-31 2010-04-29 Sychron Advanced Technologies, Inc. System providing methodology for policy-based resource allocation
US20110219444A1 (en) 2004-03-10 2011-09-08 Patrick Turley Dynamically adaptive network firewalls and method, system and computer program product implementing same
US20050210291A1 (en) 2004-03-22 2005-09-22 Toui Miyawaki Storage area network system using internet protocol, security system, security management program and storage device
US20050229246A1 (en) 2004-03-31 2005-10-13 Priya Rajagopal Programmable context aware firewall with integrated intrusion detection system
US20050240990A1 (en) 2004-04-22 2005-10-27 Microsoft Corporation Systems and methods for managing networks
US20050262554A1 (en) 2004-05-18 2005-11-24 International Business Machines Visualization of firewall rules in an auto provisioning environment
US20050268331A1 (en) 2004-05-25 2005-12-01 Franck Le Extension to the firewall configuration protocols and features
US7496962B2 (en) 2004-07-29 2009-02-24 Sourcefire, Inc. Intrusion detection strategies for hypertext transport protocol
US7904940B1 (en) 2004-11-12 2011-03-08 Symantec Corporation Automated environmental policy awareness
US20070204338A1 (en) 2005-02-17 2007-08-30 At&T Corp Reverse Firewall with Self-Provisioning
US20060195899A1 (en) 2005-02-25 2006-08-31 Microsoft Corporation Providing consistent application aware firewall traversal
US7739728B1 (en) 2005-05-20 2010-06-15 Avaya Inc. End-to-end IP security
US20070016945A1 (en) 2005-07-15 2007-01-18 Microsoft Corporation Automatically generating rules for connection security
US7987503B2 (en) 2005-07-30 2011-07-26 Huawei Technologies Co., Ltd. Firewall control system based on a next generation network service and method thereof
US7760733B1 (en) 2005-10-13 2010-07-20 Chelsio Communications, Inc. Filtering ingress packets in network interface circuitry
US7966654B2 (en) 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering
US20100180331A1 (en) 2006-03-30 2010-07-15 Nec Corporation Communication terminal device, rule distribution device, and program
US7603333B2 (en) 2006-06-14 2009-10-13 Microsoft Corporation Delayed policy evaluation
US7701945B2 (en) 2006-08-10 2010-04-20 Sourcefire, Inc. Device, system and method for analysis of segments in a transmission control protocol (TCP) session
US20080148380A1 (en) 2006-10-30 2008-06-19 Microsoft Corporation Dynamic updating of firewall parameters
US7877795B2 (en) 2006-10-30 2011-01-25 At&T Intellectual Property I, Lp Methods, systems, and computer program products for automatically configuring firewalls
US20080282314A1 (en) 2007-05-09 2008-11-13 Microsoft Corporation Firewall with policy hints
US20080289026A1 (en) 2007-05-18 2008-11-20 Microsoft Corporation Firewall installer
US20080289027A1 (en) 2007-05-18 2008-11-20 Microsoft Corporation Incorporating network connection security levels into firewall rules
US20090007219A1 (en) 2007-06-28 2009-01-01 Microsoft Corporation Determining a merged security policy for a computer system
US20090006847A1 (en) 2007-06-28 2009-01-01 Microsoft Corporation Filtering kernel-mode network communications
US20090083727A1 (en) 2007-09-26 2009-03-26 International Business Machines Corporation Method and system for securely installing patches for an operating system
US20090265755A1 (en) 2008-04-18 2009-10-22 International Business Machines Corporation Firewall methodologies for use within virtual environments
US20110072506A1 (en) 2009-09-24 2011-03-24 Fisher-Rosemount Systems, Inc. Integrated unified threat management for a process control system

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
Fu et al., "IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution," Computer Science Department, North Caroline State University, US, pp. 1-18, 2001.
Hamed et al., "Taxonomy of Conflicts in Network Security Policies," School of Computer Science, Telecommunications and Information Systems, De Paul University, Chicago, USA, pp. 1-8, 2006.
NSIS Signaling Layer Protocol (NSLP) for network . . . Internet-Draft NAT/FW NSIS NSLP, Stiemerling et al., May 2004.
TCP/IP Fundamentals for Microsoft Windows, downloaded from www.http://ms.helifan.net/technet/network/evaluate/technol/tcpipfund/tcpipfund-ch13.mspx, 2006.
U.S. Appl. No. 11/801,211, filed May 9, 2007, Abzarian et al.
U.S. Appl. No. 11/804,409, filed May 18, 2007, Abzarian et al.
U.S. Appl. No. 11/804,423, filed May 18, 2007, Yariv et al.
U.S. Appl. No. 11/823,837, filed Jun. 28, 2007, Abzarian et al.
U.S. Appl. No. 11/823,861, filed Jun. 28, 2007, Abzarian et al.

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9596219B2 (en) 2010-04-19 2017-03-14 Amaani, Llc Method of transmission of encrypted documents

Also Published As

Publication number Publication date
US20120185929A1 (en) 2012-07-19
US20080289027A1 (en) 2008-11-20
US8166534B2 (en) 2012-04-24

Similar Documents

Publication Publication Date Title
US8776208B2 (en) Incorporating network connection security levels into firewall rules
US8490153B2 (en) Automatically generating rules for connection security
US7308703B2 (en) Protection of data accessible by a mobile device
US11652792B2 (en) Endpoint security domain name server agent
US6804777B2 (en) System and method for application-level virtual private network
US8799441B2 (en) Remote computer management when a proxy server is present at the site of a managed computer
US7685633B2 (en) Providing consistent application aware firewall traversal
US7636936B2 (en) Administration of protection of data accessible by a mobile device
US7478420B2 (en) Administration of protection of data accessible by a mobile device
US8713665B2 (en) Systems, methods, and media for firewall control via remote system information
US8020192B2 (en) Administration of protection of data accessible by a mobile device
US9160614B2 (en) Remote computer management using network communications protocol that enables communication through a firewall and/or gateway
US20050132229A1 (en) Virtual private network based on root-trust module computing platforms
US20080109679A1 (en) Administration of protection of data accessible by a mobile device
US7827547B1 (en) Use of a dynamically loaded library to update remote computer management capability
KR20160043044A (en) Gateway device for terminating a large volume of vpn connections
WO2004107646A1 (en) System and method for application-level virtual private network
KR20050001397A (en) Method of assisting an application to traverse a firewall
US7581241B2 (en) Generating an outbound connection security policy based on an inbound connections security policy
US8200794B1 (en) Primitive functions for use in remote computer management
US11736516B2 (en) SSL/TLS spoofing using tags
JP4775154B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD
US8504665B1 (en) Management of a device connected to a remote computer using the remote computer to effect management actions
KR20210068832A (en) Access control system and method using SQL tool based on web
CN117395014A (en) Secure data exchange system, secure data exchange method, electronic device, and storage medium

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034544/0541

Effective date: 20141014

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20220708